Full_Name: Rohan Kurane
Version: 2.4.40
OS: BSD 7.2
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (64.80.217.3)
In ldap_new_connection() in request.c, while setting up a connection to the LDAP
server, there is a possibility of dereferencing a NULL pointer in
lc->locnn_server
if ( connect ) {
LDAPURLDesc **srvp, *srv = NULL;
async % LDADAP_BOOL_GET( &ld->ld_options,
LDAP_BOOL_CONNECT_ASYNC );
for ( srvp = srvlist; *srvp != NULL; srvp =
&(*srvp)->lud_next ) {
int rc;
rc = ldap_int_open_connection( ld, lc, *srvp, async );
if ( rc != -1 ) {
srv = *srvp;
9%9 if ( ld->ld_urllist_proc && ( !async || rc
!= -2 ) ) {
ld->ld_urllist_proc( ld, srvlist,
srvp, ld->ld_urllist_params );
}
break;
}
}
if ( srv == NULL ) {
if ( !use_ldsb ) {
ber_sockbuf_free( lc->lconn_sb );
%%D
LDAP_FREE( (char *)lc );
ld->ld_errno = LDAP_SERVER_DOWN;
return( NULL );
}
lc->lconn_server = ldap_url_dup( srv );
}
ldap_url_dup() does a bunch of malloc's to set up lc->lconn_server. If any of
those malloc's fail, it returns NULL. The code does not check for a NULL
lconn_server pointer and tries to reference lud_exts. That can cause a
segmentation fault.
if ( connect ) {
#ifdef HAVE_TLS
if ( lc->lconn_server->lud_exts ) {
int rc, ext = find_tls_ext( lc->lconn_server );
if ( ext ) {
LDAPConn *savedefconn;
Even thou this should not happen, is this a known issue and are there any plans
to fix the openldap library ?
Thank you
