On Tue, May 01, 2018 at 08:14:50PM +0000, [email protected] wrote: > 2 small issues: > I'm keeping it brief, let me know if you need more information. > > A malicious LDAP server or mitm attacker can craft a response that causes the > ldap client to crash. Nothing critical, just a simoke DoS. > [...] > The problem here is that retoid can be NULL after ldap_parse_intermediate() is > called. > > Another NULL pointer dereference caused by a bad response: > [...] > The PoC leads to memcpy being called with a NULL pointer as second argument > (ava->la_value.bv_val) in dn2domain() (libraries/libldap/getdn.c): > > AC_MEMCPY( str, ava->la_value.bv_val, ava->la_value.bv_len + 1);
Both are fixed in this branch: https://github.com/mistotebe/openldap/tree/its8842 -- OndÅej KuznÃk Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
