On Tue, May 01, 2018 at 08:14:50PM +0000, openldap@katzen.cc wrote:

2 small issues: I'm keeping it brief, let me know if you need more information.

A malicious LDAP server or mitm attacker can craft a response that causes the ldap client to crash. Nothing critical, just a simoke DoS. [...] The problem here is that retoid can be NULL after ldap_parse_intermediate() is called.

Another NULL pointer dereference caused by a bad response: [...] The PoC leads to memcpy being called with a NULL pointer as second argument (ava->la_value.bv_val) in dn2domain() (libraries/libldap/getdn.c):

AC_MEMCPY( str, ava->la_value.bv_val, ava->la_value.bv_len + 1);

Both are fixed in this branch: https://github.com/mistotebe/openldap/tree/its8842