https://bugs.openldap.org/show_bug.cgi?id=10145
Issue ID: 10145
Summary: ldap_url_parse_ext buffer overread
Product: OpenLDAP
Version: 2.6.6
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Hi there,
There is an easy-to-trigger buffer overread in the function ldap_url_parse_ext
in libraries/libldap/url.c:
850 url_tmp = skip_url_prefix( url_in, &enclosed, &scheme );
851
852 if ( url_tmp == NULL ) {
853 return LDAP_URL_ERR_BADSCHEME;
854 }
855
856 assert( scheme != NULL );
857
858 proto = ldap_pvt_url_scheme2proto( scheme );
859 if ( proto == -1 ) {
860 return LDAP_URL_ERR_BADSCHEME;
861 }
862
863 /* make working copy of the remainder of the URL */
864 url = LDAP_STRDUP( url_tmp );
865 if ( url == NULL ) {
866 return LDAP_URL_ERR_MEM;
867 }
868
869 if ( enclosed ) {
870 p = &url[strlen(url)-1];
871
872 if( *p != '>' ) {
873 LDAP_FREE( url );
874 return LDAP_URL_ERR_BADENCLOSURE;
875 }
876
877 *p = '\0';
878 }
The function skip_url_prefix, presented with a url_in that is exactly
'<ldap://', will work towards line 870, which will set:
p = &url[strlen(0)-1];
This causes a one-byte buffer overread.
This issue can be triggered by calling ldap_url_parse_ext with a url of exactly
"<ldap://";.
This issue can be triggered both through the library, and slapd.
=================================================================
==1986888==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000004c2f at pc 0x7ffff7eed3c2 bp 0x7fffffffde10 sp 0x7fffffffde08
READ of size 1 at 0x602000004c2f thread T0
#0 0x7ffff7eed3c1 in ldap_url_parse_ext
/home/jrogers/openldap-clean/libraries/libldap/url.c:872:7
--
You are receiving this mail because:
You are on the CC list for the issue.
