I wrote:

Conversion from a binary blob (struct berval*, BerElement read) to a char* string typically just grabs bv.bv_val even when the value may contain embedded '\0's.

In these cases, correct operation may require that the conversion fails if bv_len != (bv_val ? strlen(bv_val) : 0). Or if bv_val is not \0-terminated, to check if memchr(bv_val, '\0', bv_len) == NULL.

Examples: liblber/decode.c: ber_get_stringa, ber_get_stringb, ber_get_bitstringa, ber_scanf "aAv"

decode.c now rejects embedded NUL bytes in cases where we do not save the length anywhere. However it accepts terminating NUL bytes, which AD can send at least in diagonsticMessage: http://www.openldap.org/lists/openldap-devel/200911/msg00001.html