https://bugs.openldap.org/show_bug.cgi?id=10430
--- Comment #3 from [email protected] --- Hi, Thank you for the fix. We tested commit 2c5388b on master with our original PoC, but the issue still reproduces. ### Test Code ```c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ldap.h> #include <ldap_schema.h> int main(int argc, char **argv) { FILE *f = fopen("poc", "rb"); fseek(f, 0, SEEK_END); long size = ftell(f); fseek(f, 0, SEEK_SET); char *input = malloc(size + 1); fread(input, 1, size, f); input[size] = '\0'; fclose(f); int code = 0; const char *errp = NULL; LDAPAttributeType *at = ldap_str2attributetype(input, &code, &errp, LDAP_SCHEMA_ALLOW_ALL); if (at) ldap_attributetype_free(at); free(input); return 0; } ``` PoC (49 bytes): ``` (13.5 NAME 'caseExactMatch' SYNTAX 'nooideithe1r. ``` Build: ```bash clang -fsanitize=address -g -O1 -I include \ -L libraries/libldap/.libs -L libraries/liblber/.libs \ test.c -o test -lldap -llber \ -Wl,-rpath,libraries/libldap/.libs:libraries/liblber/.libs ``` ### Crash Trace ``` ==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5060000000b2 at pc 0x7fb2de6cc7b2 bp 0x7ffd07918e30 sp 0x7ffd07918e28 READ of size 1 at 0x5060000000b2 thread T0 #0 in parse_whsp schema.c:1090:10 #1 in ldap_str2attributetype schema.c:2313:5 #2 in main test.c:18:29 0x5060000000b2 is located 0 bytes after 50-byte region [0x506000000080,0x5060000000b2) allocated by thread T0 here: #0 in malloc #1 in main test.c:11:19 SUMMARY: AddressSanitizer: heap-buffer-overflow schema.c:1090:10 in parse_whsp ``` We are happy to test any updated patches. -- You are receiving this mail because: You are on the CC list for the issue.
