Full_Name: Stef Walter Version: 2.4.35 OS: Fedora 18 URL: http://fedorapeople.org/~stefw/patches/openldap-01/0001-Fix-usage-of-uniniti... Submission from: (NULL) (77.3.95.123)
When sending a cldap (UDP) packet, like a search request, uninitialized memory is accessed. This shows up in valgrind like this:
==31445== Conditional jump or move depends on uninitialised value(s) ==31445== at 0x36632244E6: ldap_send_server_request (request.c:377) ==31445== by 0x36632247C2: ldap_send_initial_request (request.c:166) ==31445== by 0x36632142F8: ldap_pvt_search (search.c:128) ==31445== by 0x366321454F: ldap_search_ext (search.c:69) ==31445== by 0x400838: main (in /data/projects/openldap/frob-cldap-search) ==31445==
This is due to parsing the resulting packet to pull out a requestDN. UDP packets have different BER layout, and therefore the assumptions made when parsing the outgoing request are invalid.
It does not seem necessary to track the request DN for UDP packets. The linked patch disables this code path for UDP packets.
Patch which fixes the issue: http://fedorapeople.org/~stefw/patches/openldap-01/0001-Fix-usage-of-uniniti...
Test code for the issue: http://fedorapeople.org/~stefw/patches/openldap-01/frob-cldap-search.c
Note that the test code doesn't detect the issue on its own (or do anything useful). Use valgrind to detect the issue:
$ gcc -o frob-cldap-search -Wall -lldap -llber frob-cldap-search.c $ valgrind ./frob-cldap-search