Full_Name: Jan Vcelak Version: 2.5.25 OS: Linux URL: ftp://ftp.openldap.org/incoming/jvcelak-20110622-ldif-split-indent-segfault-2.patch Submission from: (NULL) (209.132.186.34)

Hello,

input LDIF file with splitted lines which are indented incorrectly causes SEGFAULT of a client tool. Let me show:

$ cat /tmp/invalid.ldif dn: cn=B,dc=my-domain, dc=com objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person objectclass: top cn: B sn: B uid: B mail: b@example.org

$ ldapmodify -a -x -f /tmp/invalid.ldif -d2048 ldif_parse_line: missing ':' after dc=com ldapmodify: invalid format (line 2) entry: "cn=B,dc=my-domain," Segmentation fault (core dumped)

(gdb) bt full #0 __strcasecmp_l_ssse3 () at ../sysdeps/x86_64/strcmp.S:214 No locals. #1 0x000000000042d9f3 in ldap_parse_ldif_record_x (rbuf=0x7fffffffdbb0, linenum=1, lr=0x7fffffffdb30, errstr=0x7fffffffe197 "ldapmodify", flags=1, ctx=0x0) at ldifutil.c:399 fv = 0 line = 0x668627 "dc=com" dn = 0x668614 "cn=B,dc=my-domain," rc = -9 modop = 0 expect_modop = 0 expect_sep = 0 ldapadd = 1 new_entry = 1 delete_entry = 0 got_all = 0 pmods = 0x6697e8 version = 0 pctrls = 0x0 i = 1 j = 0 k = -1 idn = 1 nmods = 1 bvl = 0x6697f8 bv = {bv_len = 0, bv_val = 0x0} __PRETTY_FUNCTION__ = "ldap_parse_ldif_record_x" #2 0x000000000042e524 in ldap_parse_ldif_record (rbuf=0x7fffffffdbb0, linenum=1, lr=0x7fffffffdb30, errstr=0x7fffffffe197 "ldapmodify", flags=1) at ldifutil.c:565 No locals. #3 0x0000000000406ff8 in process_ldif_rec (rbuf=0x668610 "dn", linenum=1) at ldapmodify.c:404 lr = {lr_op = 0, lr_dn = {bv_len = 18, bv_val = 0x668614 "cn=B,dc=my-domain,"}, lr_ctrls = 0x0, ldif_ops = {lr_mods = 0x0, ldif_op_rename = {lr_newrdn = {bv_len = 0, bv_val = 0x0}, lr_newsuperior = {bv_len = 0, bv_val = 0x0}, lr_deleteoldrdn = 0}, ldif_op_ext = {lr_extop_oid = {bv_len = 0, bv_val = 0x0}, lr_extop_data = { bv_len = 0, bv_val = 0x0}}, ldif_op_cmp = {lr_cmp_attr = {bv_len = 0, bv_val = 0x0}, lr_cmp_bvalue = {bv_len = 0, bv_val = 0x0}}}, lr_ctx = 0x0, lr_lines = 2, lr_lm = 0x6697d0, lr_mops = 0x0, lr_freeval = 0x6699e0 "", lr_vals = 0x669930, lr_btype = 0x669880} lrflags = 1 rc = 0 rbuf_bv = {bv_len = 0, bv_val = 0x66862e "objectclass: inetOrgPerson\nobjectclass: organizationalPerson\nobjectclass: person\nobjectclass: top\ncn: B\nsn: B\nuid: B\nmail: b@example.org\n"} #4 0x0000000000406cb7 in main (argc=6, argv=0x7fffffffdd98) at ldapmodify.c:316 rbuf = 0x668610 "dn" rejbuf = 0x0 rejfp = 0x0 ldiffp = 0x6600a0 ldifdummy = {fp = 0x0, prev = 0x0} matched_msg = 0x448790 "H\211l$\330L\211d$\340H\215-\003\060!" error_msg = 0x8000 <Address 0x8000 out of bounds> rc = 0 retval = 0 ldifrc = 1 len = 4491152 i = 0 lineno = 1 nextline = 11 lmax = 4119 c = {{ldctl_oid = 0x7fe0f05 <Address 0x7fe0f05 out of bounds>, ldctl_value = {bv_len = 5044973646, bv_val = 0x0}, ldctl_iscritical = 0 '\000'}} (gdb) frame 1 #1 0x000000000042d9f3 in ldap_parse_ldif_record_x (rbuf=0x7fffffffdbb0, linenum=1, lr=0x7fffffffdb30, errstr=0x7fffffffe197 "ldapmodify", flags=1, ctx=0x0) at ldifutil.c:399 399 if ( !BV_CASEMATCH( lr->lr_btype+i, &bv )) { (gdb) p *(lr->lr_btype+1) $1 = {bv_len = 0, bv_val = 0x668627 "dc=com"} (gdb)

bv_len is set incorrectly to zero and therefore the string will be compared against bv, which is a "null string".

I have uploaded patch to address this issue.

With the patch applied, the output is following:

./ldapmodify -a -x -f /tmp/invalid.ldif -d2048 ldif_parse_line: missing ':' after dc=com ldapmodify: invalid format (line 2) entry: "cn=B,dc=my-domain,"