[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5580) BER Decoding Remote DoS Vulnerability
--On Friday, June 27, 2008 12:41 AM +0000 hyc@symas.com wrote:
> Howard Chu wrote:
>> zdi-disclosures@tippingpoint.com wrote:
>>> Full_Name: Cameron Hotchkies
>>> Version: 2.3.41
>>> OS: Gentoo Linux
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (66.179.208.36)
>>>
>>>
>>> This vulnerability allows remote attackers to deny services on
>>> vulnerable installations of OpenLDAP. Authentication is not required to
>>> exploit this vulnerability.
>>
>> Thanks for the report, a fix is now in HEAD. Please test.
>
> For future reference, it looks like this may have crept in in 2001, rev
> 1.88/ITS#2465...
2003, not 2001?
1.88 Thu Apr 24 00:10:18 2003 UTC; 5 years, 2 months ago by hyc
Changed since 1.87: +3 -3 lines
Diffs to 1.87 (colored diff)
ITS#2465 fix? ber_get_next must read at least sizeof(tag)+sizeof(len)
which should be at most 8 bytes. However if we read more than the minimum
message length, we have a problem because we steal bytes from any following
message, and there is no buffer mechanism to push back excess data.
The shortest legitimate message is Unbind at 7 bytes, but there shouldn't
be anything following it. Abandon at 8 bytes is next, so always requesting
at least 8 bytes should be safe. Always requesting 9 was a problem.
Please double-check these assumptions...
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration