rohanskurane@gmail.com wrote:
Full_Name: Rohan Kurane Version: 2.4.40 OS: BSD 7.2 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (64.80.217.3)
In ldap_new_connection() in request.c, while setting up a connection to the LDAP server, there is a possibility of dereferencing a NULL pointer in lc->locnn_server
Fixed in git master. Please don't send HTML emails, they're particularly unreadable with embedded code like this.
if ( connect ) { LDAPURLDesc **srvp, *srv = NULL;
async % LDADAP_BOOL_GET( &ld->ld_options, LDAP_BOOL_CONNECT_ASYNC ); for ( srvp = srvlist; *srvp != NULL; srvp = &(*srvp)->lud_next ) { int rc; rc = ldap_int_open_connection( ld, lc, *srvp, async ); if ( rc != -1 ) { srv = *srvp;9%9 if ( ld->ld_urllist_proc && ( !async || rc != -2 ) ) { ld->ld_urllist_proc( ld, srvlist, srvp, ld->ld_urllist_params ); }
break; } } if ( srv == NULL ) { if ( !use_ldsb ) { ber_sockbuf_free( lc->lconn_sb ); %%D LDAP_FREE( (char *)lc ); ld->ld_errno = LDAP_SERVER_DOWN; return( NULL ); } lc->lconn_server = ldap_url_dup( srv );}
ldap_url_dup() does a bunch of malloc's to set up lc->lconn_server. If any of those malloc's fail, it returns NULL. The code does not check for a NULL lconn_server pointer and tries to reference lud_exts. That can cause a segmentation fault.
if ( connect ) { #ifdef HAVE_TLS if ( lc->lconn_server->lud_exts ) { int rc, ext = find_tls_ext( lc->lconn_server ); if ( ext ) { LDAPConn *savedefconn;
Even thou this should not happen, is this a known issue and are there any plans to fix the openldap library ?
Thank you
-
hyc@symas.com