Full_Name: Hallvard B Furuseth Version: HEAD OS: URL: Submission from: (NULL) (129.240.6.233) Submitted by: hallvard

libraries/libldap/result.c:try_read1msg() accesses 'lr' uninitialized if 'id' (message ID) from line 577's 'ber_get_int( ber, &id )' is <= 0.

I'm not sure if the client should terminate the connection when it receives message id < 0, or if it should just toss the response like it does with unknown message IDs.

With message ID 0, the code reaches this statement with 'lr' uninitialized: Debug( LDAP_DEBUG_TRACE, "read1msg: ld %p msgid %ld message type %s\n", (void *)ld, (long)lr->lr_msgid, ldap_int_msgtype2str( tag ) ); As far as I can tell, normally lr->lr_msgid == id. I haven't tracked what those values are with LDAP_CONNECTIONLESS at the 'nextresp2:' label. A 700-line function with 5 labels, yuck. Anyway, I wonder why taht statement and the statement below: if ( id == 0 ) { doesn't use the same value, either id or lr->lr_msgid for both.