https://bugs.openldap.org/show_bug.cgi?id=10493
Issue ID: 10493 Summary: change in 2.6.13 for ber_bvreplace_x introduces out of bounds reads Product: OpenLDAP Version: 2.6.13 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: dirk@dmllr.de Target Milestone: ---
2.6.13 includes the patch for "Fixed liblber ber_bvreplace_x potential NULL dereference"
However, this now introduces OOB reads.
If ber_memrealloc_x fails to allocate memory, the function executes
AC_MEMCPY( dst->bv_val, src->bv_val, dst->bv_len + 1 );
Because `dst->bv_len` was not updated to `src->bv_len`, `AC_MEMCPY` copies exactly `dst->bv_len + 1` bytes from `src`. Since `src` is strictly larger than the old `dst->bv_len`, the byte copied into the final position (`dst->bv_val[dst->bv_len]`) will be the corresponding character from `src`, **not a null-terminator**.
This leaves the `dst->bv_val` buffer without a null-terminator. Any subsequent string-based operations (like `strlen`, `printf`, or logging functions) acting on the `berval`'s `bv_val` will read out-of-bounds into adjacent heap memory until it randomly hits a null byte, leading to a heap buffer over-read (OOB Read) or information leak.
Similarly, if the source buffer was not null-terminated and was precisely sized to its length, it reads 1 byte past the end of src->bv_val, which is an Out-of-Bounds Read that could lead to crashes or leaking adjacent memory.
suggest to use this instead:
if ( dst->bv_val != NULL ) { AC_MEMCPY( dst->bv_val, src->bv_val, dst->bv_len ); dst->bv_val[dst->bv_len] = '\0'; }
https://bugs.openldap.org/show_bug.cgi?id=10493
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=10438
--- Comment #1 from Howard Chu hyc@openldap.org --- It's a berval, it would be stupid to call strlen on it since the length is already given.
There is no possibility of an information leak across the network since all of the actual BER output functions use the bv_len. Stray garbage in log output is harmless and can't cause a crash.
https://bugs.openldap.org/show_bug.cgi?id=10493
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |IN_PROGRESS Ever confirmed|0 |1
--- Comment #2 from Howard Chu hyc@openldap.org --- https://git.openldap.org/openldap/openldap/-/merge_requests/861
https://bugs.openldap.org/show_bug.cgi?id=10493
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |hyc@openldap.org Keywords|needs_review | Target Milestone|--- |2.6.14
https://bugs.openldap.org/show_bug.cgi?id=10493
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |TEST
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- head:
• 7199d8d5 by Dirk at 2026-04-19T22:26:18+01:00 ITS#10493 liblber: tweak commit from ITS#10438
RE26:
• 1e42634c by Dirk at 2026-04-21T21:51:52+00:00 ITS#10493 liblber: tweak commit from ITS#10438
-
openldap-its@openldap.org