[Issue 10426] New: liblber: ber_get_stringbvl integer overflow enables heap buffer overflow via {M} parsing (32-bit builds)
https://bugs.openldap.org/show_bug.cgi?id=10426
Issue ID: 10426 Summary: liblber: ber_get_stringbvl integer overflow enables heap buffer overflow via {M} parsing (32-bit builds) Product: OpenLDAP Version: 2.6.10 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: lukas@artiphishell.com Target Milestone: ---
Created attachment 1105 --> https://bugs.openldap.org/attachment.cgi?id=1105&action=edit build.sh
## Issue description Vulnerable location: `libraries/liblber/decode.c` in `ber_get_stringbvl()`
Root cause: in the first pass that counts elements, `tot_size += siz` is performed with `ber_len_t` and no overflow check. On 32-bit builds, a large BER sequence (e.g., SearchRequest attributes parsed via `{M}`) wraps `tot_size`. The allocation uses the wrapped value (`ber_memalloc_x(tot_size + siz, ...)`), producing an undersized buffer. The second pass then writes `i` elements into the vector (BvOff mode for `{M}`), advancing `tot_size` by `siz` and storing `struct berval` at `res.bo + tot_size`, which overruns the allocation.
Call path observed in the ASAN trace: `slapd` -> `do_search` (`servers/slapd/search.c:145`, `ber_scanf("{M}}")`) -> `ber_scanf` (`libraries/liblber/decode.c:815`) -> `ber_get_stringbvl` (`libraries/liblber/decode.c:471`) -> heap buffer overflow.
## Reproduction Steps
Build instructions:
```bash mkdir /tmp/openldap-ber-get-stringbvl-overflow cd /tmp/openldap-ber-get-stringbvl-overflow
# create the following files in this directory chmod +x build.sh poc.sh
git clone https://github.com/openldap/openldap
./build.sh ./openldap
# Run the PoC ./poc.sh ```
https://bugs.openldap.org/show_bug.cgi?id=10426
--- Comment #1 from lukas@artiphishell.com --- Created attachment 1106 --> https://bugs.openldap.org/attachment.cgi?id=1106&action=edit poc.sh
https://bugs.openldap.org/show_bug.cgi?id=10426
--- Comment #2 from lukas@artiphishell.com --- Created attachment 1107 --> https://bugs.openldap.org/attachment.cgi?id=1107&action=edit Crash Report
https://bugs.openldap.org/show_bug.cgi?id=10426
--- Comment #3 from lukas@artiphishell.com --- Created attachment 1108 --> https://bugs.openldap.org/attachment.cgi?id=1108&action=edit Proposed patch
https://bugs.openldap.org/show_bug.cgi?id=10426
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID
--- Comment #4 from Howard Chu hyc@openldap.org --- Hi, looks like this is an invalid configuration, since you explicitly disable packet size limits. Also, even without packet size limits, you can only trigger this on a 32bit build, but nobody deploys 32bit servers any more.
# lift incoming size checks so large PDUs are accepted sockbuf_max_incoming 0
Closing this as invalid.
https://bugs.openldap.org/show_bug.cgi?id=10426
--- Comment #5 from lukas@artiphishell.com --- Understood, thanks for the clarification!
Issues like this, where configurations cause crashes, are handled differently across projects. I hope it wasn't too much of an inconvenience.
https://bugs.openldap.org/show_bug.cgi?id=10426
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org