https://bugs.openldap.org/show_bug.cgi?id=10426
Issue ID: 10426
Summary: liblber: ber_get_stringbvl integer overflow enables
heap buffer overflow via {M} parsing (32-bit builds)
Product: OpenLDAP
Version: 2.6.10
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 1105
--> https://bugs.openldap.org/attachment.cgi?id=1105&action=edit
build.sh
## Issue description
Vulnerable location: `libraries/liblber/decode.c` in `ber_get_stringbvl()`
Root cause: in the first pass that counts elements, `tot_size += siz` is
performed with `ber_len_t` and no overflow check. On 32-bit builds, a large BER
sequence (e.g., SearchRequest attributes parsed via `{M}`) wraps `tot_size`.
The allocation uses the wrapped value (`ber_memalloc_x(tot_size + siz, ...)`),
producing an undersized buffer. The second pass then writes `i` elements into
the vector (BvOff mode for `{M}`), advancing `tot_size` by `siz` and storing
`struct berval` at `res.bo + tot_size`, which overruns the allocation.
Call path observed in the ASAN trace:
`slapd` -> `do_search` (`servers/slapd/search.c:145`, `ber_scanf("{M}}")`) ->
`ber_scanf` (`libraries/liblber/decode.c:815`) -> `ber_get_stringbvl`
(`libraries/liblber/decode.c:471`) -> heap buffer overflow.
## Reproduction Steps
Build instructions:
```bash
mkdir /tmp/openldap-ber-get-stringbvl-overflow
cd /tmp/openldap-ber-get-stringbvl-overflow
# create the following files in this directory
chmod +x build.sh poc.sh
git clone https://github.com/openldap/openldap
./build.sh ./openldap
# Run the PoC
./poc.sh
```
--
You are receiving this mail because:
You are on the CC list for the issue.
