https://bugs.openldap.org/show_bug.cgi?id=10145
Issue ID: 10145 Summary: ldap_url_parse_ext buffer overread Product: OpenLDAP Version: 2.6.6 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: joshua@joshua.hu Target Milestone: ---
Hi there,
There is an easy-to-trigger buffer overread in the function ldap_url_parse_ext in libraries/libldap/url.c:
850 url_tmp = skip_url_prefix( url_in, &enclosed, &scheme ); 851 852 if ( url_tmp == NULL ) { 853 return LDAP_URL_ERR_BADSCHEME; 854 } 855 856 assert( scheme != NULL ); 857 858 proto = ldap_pvt_url_scheme2proto( scheme ); 859 if ( proto == -1 ) { 860 return LDAP_URL_ERR_BADSCHEME; 861 } 862 863 /* make working copy of the remainder of the URL */ 864 url = LDAP_STRDUP( url_tmp ); 865 if ( url == NULL ) { 866 return LDAP_URL_ERR_MEM; 867 } 868 869 if ( enclosed ) { 870 p = &url[strlen(url)-1]; 871 872 if( *p != '>' ) { 873 LDAP_FREE( url ); 874 return LDAP_URL_ERR_BADENCLOSURE; 875 } 876 877 *p = '\0'; 878 }
The function skip_url_prefix, presented with a url_in that is exactly '<ldap://', will work towards line 870, which will set:
p = &url[strlen(0)-1];
This causes a one-byte buffer overread.
This issue can be triggered by calling ldap_url_parse_ext with a url of exactly "<ldap://".
This issue can be triggered both through the library, and slapd.
================================================================= ==1986888==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004c2f at pc 0x7ffff7eed3c2 bp 0x7fffffffde10 sp 0x7fffffffde08 READ of size 1 at 0x602000004c2f thread T0 #0 0x7ffff7eed3c1 in ldap_url_parse_ext /home/jrogers/openldap-clean/libraries/libldap/url.c:872:7
https://bugs.openldap.org/show_bug.cgi?id=10145
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #1 from Howard Chu hyc@openldap.org --- Thanks for the report. There's no operational impact from this, but now fixed in git master.
https://bugs.openldap.org/show_bug.cgi?id=10145
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |hyc@openldap.org Target Milestone|--- |2.5.17 Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=10145
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |TEST
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- head:
• e40d3640 by Howard Chu at 2023-12-16T14:01:46+00:00 ITS#10145 ldap_url_parse_ext: fail earlier on bad URL enclosure
https://bugs.openldap.org/show_bug.cgi?id=10145
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
• 0e40e44e by Howard Chu at 2024-01-16T19:15:37+00:00 ITS#10145 ldap_url_parse_ext: fail earlier on bad URL enclosure
RE25:
• e987fcf3 by Howard Chu at 2024-01-16T19:15:49+00:00 ITS#10145 ldap_url_parse_ext: fail earlier on bad URL enclosure
https://bugs.openldap.org/show_bug.cgi?id=10145
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org