[
https://issues.apache.org/jira/browse/DIRAPI-418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17897663#comment-17897663
]
Emmanuel Lécharny commented on DIRAPI-418:
------------------------------------------
This is actually complicated...
The PDU contains a completed TLV:
{code:java}
0xA6, 0x04, // Less or equal filter
0x04, 0x02, // AttributeDesc
0x04, 0x04, // The value
... // At this point, we don't
expect anything as the filter TLV length is fulfiled.
{code}
except that the grammar mandates the presence of an {{AssertionValue}} which
TLV starts with 0x04.
And the sample has this {{0x04}} tag, which is not to be processed as an
{{AssertionValue}}, as the filter has been fully decoded.
So we are in a situation where the state engine is at state
{{ATTRIBUTE_DESC_FILTER_STATE}}, a completed {{TLV}} and a next tag which is
associated with an action that is not the right one (we should generate an
error).
The only way to deal with that is to check if the {{TLV}} has been completed,
then we should unroll the state back to where we can process the next
transiition (ie either a next Filter, or an AtttributeDescriptionList).
Except that we don't keep a track of the possible transitions when we have
completed the current {{TLV}} and fall back on an unexpected tag that still
correspond to the expected ...
Still have to figure out a way to workaround the problem...
> NullPointerException in Asn1Decoder
> -----------------------------------
>
> Key: DIRAPI-418
> URL: https://issues.apache.org/jira/browse/DIRAPI-418
> Project: Directory Client API
> Issue Type: Bug
> Affects Versions: 2.1.7
> Reporter: Andrey Slepykh
> Priority: Major
> Attachments: ReproducerDecodeNullPointerException.java
>
>
> Hi, we were fuzzing Asn1Decoder and have found NullPointerException in
> dencoding. This seems to be different from
> https://issues.apache.org/jira/browse/DIRAPI-414
> Steps to reproduce:
> 1. Download Apache Directory LDAP API v2.1.7:
> {code:bash}
> wget wget
> https://github.com/apache/directory-ldap-api/archive/refs/tags/2.1.7.tar.gz
> tar xf 2.1.7.tar.gz && rm 2.1.7.tar.gz
> {code}
> 2. Compile the project (we used jdk-11 and mvn-3.9.6):
> {code:bash}
> cd directory-ldap-api-2.1.7
> mvn clean package
> {code}
> 3. Get the reproducer:
> {code:bash}
> mkdir fuzz && cd fuzz
> mv <path/to/reproducer>/ReproducerDecodeNullPointerException.java .
> {code}
> 4. Compile the reproducer:
> {code:bash}
> javac -cp
> .:../../asn1/ber/target/classes/:../../asn1/api/target/classes/:../../ldap/codec/core/target/classes/:../../ldap/model/target/classes/:../../ldap/codec/core/target/classes/
> ./ReproducerDecodeNullPointerException.java
> {code}
> 5. Reproduce the exception:
> {code:bash}
> java -cp
> .:../../asn1/ber/target/classes/:../../asn1/api/target/classes/:../../ldap/codec/core/target/classes/:../../ldap/model/target/classes/:../../ldap/codec/core/target/classes/:../../util/target/classes/:../../util/target/classes/:../../integ-osgi/target/dependency/slf4j-api-1.7.36.jar:../../i18n/target/classes/:../../integ-osgi/target/dependency/mina-core-2.2.3.jar
> ReproducerDecodeNullPointerException
> {code}
> Found by Linux Verification Center (portal.linuxtesting.ru) with jazzer.
> Author L.Reviakin (l.revia...@fobos-nt.ru)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
