[Issue 10370] New: result.c:930: try_read1msg: Assertion `!BER_BVISEMPTY( &resoid )' failed.
https://bugs.openldap.org/show_bug.cgi?id=10370
Issue ID: 10370 Summary: result.c:930: try_read1msg: Assertion `!BER_BVISEMPTY( &resoid )' failed. Product: OpenLDAP Version: 2.6.10 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: daniel@haxx.se Target Milestone: ---
When using curl built with OpenLDAP to access a broken/malicious ldap server, OpenLDAP will abort on this assert.
It seems it should rather return a proper error code?
A full reproducer that unfortunately uses curl is available here: https://hackerone.com/reports/3258022 together with more details about this problem.
(I'm forwarding this information, I did not discover this.)
https://bugs.openldap.org/show_bug.cgi?id=10370
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |TEST Status|UNCONFIRMED |RESOLVED
--- Comment #1 from Howard Chu hyc@openldap.org --- Fixed in git 7d2805f27c9863daab7edef0d01cb872dc859ff8
https://bugs.openldap.org/show_bug.cgi?id=10370
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Target Milestone|--- |2.6.11 Assignee|bugs@openldap.org |hyc@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=10370
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- main:
• 7d2805f2 by Howard Chu at 2025-07-23T22:05:25+01:00 ITS#10370 libldap: don't assert on network input
RE26:
• a306fce8 by Howard Chu at 2025-09-08T22:54:01+00:00 ITS#10370 libldap: don't assert on network input
-
openldap-its@openldap.org