Full_Name: Ryan Tandy Version: master (7df548d), RE24 (2b14bbc) OS: Debian unstable URL: Submission from: (NULL) (142.32.208.227) If you use the deref control but leave the list of requested attributes empty, slapd crashes. ldapsearch [...] -E deref=member: #0 0x0000000000516ef0 in deref_parseCtrl (op=0x7fffec000940, rs=0x7ffff57eeac0, ctrl=0x7fffec001238) at deref.c:225 #1 0x000000000046a84d in slap_parse_ctrl (op=0x7fffec000940, rs=0x7ffff57eeac0, control=0x7fffec001238, text=0x7ffff57eeae0) at controls.c:693 #2 0x000000000046b0f5 in get_ctrls2 (op=0x7fffec000940, rs=0x7ffff57eeac0, sendres=1, ctag=160) at controls.c:886 #3 0x000000000046a8ff in get_ctrls (op=0x7fffec000940, rs=0x7ffff57eeac0, sendres=1) at controls.c:723 #4 0x000000000042e94e in do_search (op=0x7fffec000940, rs=0x7ffff57eeac0) at search.c:195 #5 0x000000000042bdf3 in connection_operation (ctx=0x7ffff57eebf0, arg_v=0x7fffec000940) at connection.c:1134 #6 0x000000000042c3a3 in connection_read_thread (ctx=0x7ffff57eebf0, argv=0xb) at connection.c:1280 #7 0x0000000000538938 in ldap_int_thread_pool_wrapper (xpool=0x892bc0) at tpool.c:958 #8 0x00007ffff79b00a4 in start_thread (arg=0x7ffff57ef700) at pthread_create.c:309 #9 0x00007ffff76e4ccd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 (line numbers are from master) The ldapsearch manpage implies this probably isn't valid, but it still accepted it. (FWIW, I tried it just to see whether it would return all attributes or none.) I couldn't tell from draft-ldap-deref-00 whether an empty attr list is considered a valid request.
ryan@nardis.ca wrote: > Full_Name: Ryan Tandy > Version: master (7df548d), RE24 (2b14bbc) > OS: Debian unstable > URL: > Submission from: (NULL) (142.32.208.227) > > > If you use the deref control but leave the list of requested attributes empty, > slapd crashes. > > ldapsearch [...] -E deref=member: > > #0 0x0000000000516ef0 in deref_parseCtrl (op=0x7fffec000940, rs=0x7ffff57eeac0, > ctrl=0x7fffec001238) at deref.c:225 > #1 0x000000000046a84d in slap_parse_ctrl (op=0x7fffec000940, rs=0x7ffff57eeac0, > control=0x7fffec001238, text=0x7ffff57eeae0) > at controls.c:693 > #2 0x000000000046b0f5 in get_ctrls2 (op=0x7fffec000940, rs=0x7ffff57eeac0, > sendres=1, ctag=160) at controls.c:886 > #3 0x000000000046a8ff in get_ctrls (op=0x7fffec000940, rs=0x7ffff57eeac0, > sendres=1) at controls.c:723 > #4 0x000000000042e94e in do_search (op=0x7fffec000940, rs=0x7ffff57eeac0) at > search.c:195 > #5 0x000000000042bdf3 in connection_operation (ctx=0x7ffff57eebf0, > arg_v=0x7fffec000940) at connection.c:1134 > #6 0x000000000042c3a3 in connection_read_thread (ctx=0x7ffff57eebf0, argv=0xb) > at connection.c:1280 > #7 0x0000000000538938 in ldap_int_thread_pool_wrapper (xpool=0x892bc0) at > tpool.c:958 > #8 0x00007ffff79b00a4 in start_thread (arg=0x7ffff57ef700) at > pthread_create.c:309 > #9 0x00007ffff76e4ccd in clone () at > ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 > > (line numbers are from master) > > The ldapsearch manpage implies this probably isn't valid, but it still accepted > it. (FWIW, I tried it just to see whether it would return all attributes or > none.) I couldn't tell from draft-ldap-deref-00 whether an empty attr list is > considered a valid request. As I read the grammar in the draft section 2.2 the attributeList is not OPTIONAL so this is definitely not a valid request. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
hyc@symas.com wrote: > As I read the grammar in the draft section 2.2 the attributeList is not > OPTIONAL so this is definitely not a valid request. But this invalid request must not crash slapd with slapo-deref installed. Ciao, Michael.
ryan@nardis.ca wrote: > Full_Name: Ryan Tandy > Version: master (7df548d), RE24 (2b14bbc) > OS: Debian unstable > URL: > Submission from: (NULL) (142.32.208.227) > > > If you use the deref control but leave the list of requested attributes empty, > slapd crashes. > > ldapsearch [...] -E deref=member: > The ldapsearch manpage implies this probably isn't valid, but it still accepted > it. (FWIW, I tried it just to see whether it would return all attributes or > none.) I couldn't tell from draft-ldap-deref-00 whether an empty attr list is > considered a valid request. > Patched in master to reject a request with an empty attr list. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Software Bugs
changed notes changed state Test to Release
>But this invalid request must not crash slapd with slapo-deref installed. Of course not. But slapo-deref is not installed or enabled by default. And since it is undocumented, no one would enable it by accident - most don't even know that it exists.
fixed in master fixed in RE25 fixed in RE24
changed notes changed state Release to Closed
Howard Chu wrote: > ryan@nardis.ca wrote: >> Full_Name: Ryan Tandy >> Version: master (7df548d), RE24 (2b14bbc) >> OS: Debian unstable >> URL: >> Submission from: (NULL) (142.32.208.227) >> >> >> If you use the deref control but leave the list of requested attributes empty, >> slapd crashes. >> >> ldapsearch [...] -E deref=member: > >> The ldapsearch manpage implies this probably isn't valid, but it still accepted >> it. (FWIW, I tried it just to see whether it would return all attributes or >> none.) I couldn't tell from draft-ldap-deref-00 whether an empty attr list is >> considered a valid request. >> > Patched in master to reject a request with an empty attr list. > For future reference, this was registered as CVE-2015-1545. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/