https://bugs.openldap.org/show_bug.cgi?id=10400

Issue ID: 10400 Summary: NULL pointer deref in ldap_parse_result Product: OpenLDAP Version: 2.6.10 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: hyc@openldap.org Target Milestone: ---

Report from curl project. Full info here https://gist.github.com/bagder/8aae731b05bf423205db3d71aaedf18c

Relevant stack trace:

[Environment] ASAN_OPTIONS=exitcode=77 +----------------------------------------Release Build Stacktrace----------------------------------------+ Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_ldap -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-0f193edf6a069aa877a89a9f31c6b4d0c47ff028 Time ran: 0.0964963436126709

INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 2389202903 INFO: Loaded 1 modules (166249 inline 8-bit counters): 166249 [0x55ca1b31da20, 0x55ca1b346389), INFO: Loaded 1 PC tables (166249 PCs): 166249 [0x55ca1b346390,0x55ca1b5cfa20),

/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_ldap: Running 1 inputs 100 time(s) each. Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-0f193edf6a069aa877a89a9f31c6b4d0c47ff028 AddressSanitizer:DEADLYSIGNAL ================================================================= ==402==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55ca1ae33b22 bp 0x7ffd8c148e00 sp 0x7ffd8c148d00 T0) ==402==The signal is caused by a READ memory access. ==402==Hint: address points to the zero page. #0 0x55ca1ae33b22 in ldap_parse_result curl_fuzzer/build/openldap/src/openldap_external/libraries/libldap/error.c:264:26 #1 0x55ca1a3c0b45 in oldap_connecting curl/lib/openldap.c:844:10 #2 0x55ca1a25c34f in protocol_connecting curl/lib/multi.c:1794:14 #3 0x55ca1a25c34f in multi_runsingle curl/lib/multi.c:2510:16 #4 0x55ca1a25a985 in curl_multi_perform curl/lib/multi.c:2791:18 #5 0x55ca1a20c048 in fuzz_handle_transfer(fuzz_data*) curl_fuzzer/curl_fuzzer.cc:419:5 #6 0x55ca1a20afd7 in LLVMFuzzerTestOneInput curl_fuzzer/curl_fuzzer.cc:97:3 #7 0x55ca1a0a854d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13 #8 0x55ca1a0932c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6 #9 0x55ca1a099190 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:865:9 #10 0x55ca1a0c4cc2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #11 0x7d3b976eb082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16 #12 0x55ca1a08c3ad in _start

==402==Register values: rax = 0x0000000000000000 rbx = 0x00007ffd8c148d00 rcx = 0x0000799b969e0e00 rdx = 0x0000000000000000 rdi = 0x0000799b969e0e00 rsi = 0x0000793b959d5920 rbp = 0x00007ffd8c148e00 rsp = 0x00007ffd8c148d00 r8 = 0x000055ca1b751a00 r9 = 0x00007fffffffff01 r10 = 0x00007fffffffff01 r11 = 0x0000000000000001 r12 = 0x0000793b956d2800 r13 = 0x0000000000000000 r14 = 0x0000000000000000 r15 = 0x0000000000000000 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_ldap+0x1411b22) ==402==ABORTING