Full_Name: Daniel Stenberg Version: any OS: Linux URL: Submission from: (NULL) (178.174.211.173)

The function ldap_get_attribute_ber() is called to get attributes, but it turns out that it can return LDAP_SUCCESS and still return a NULL pointer in the result pointer when getting a particularly crafted response.

This was a surprise to us and to curl, as this caused us a security vulnerability. See https://curl.haxx.se/docs/adv_2018-97a2.html

1. There's no man page nor online resource to read the docs for this function so its really hard to figure out this fact.

2. This behavior is surprising, and this flaw was even written by someone very familiar with OpenLDAP, indicating it is unintended or at least not the normal path.

3. Due to the above two points, I believe there's a risk curl is not the only application in the world that had this bad assumption and thus this might be a lurking security issue in more projects.

/ Daniel