[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#9175) ldapsearch segfault
Full_Name: Lexi Haley
Version: 02/20/2020 trunk commit 299fb490a27e7b0e5a60464e33f5ea04d00f0f7c
OS: CYGWIN on Windows
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (208.206.3.188)
Using clients/tools/ldapsearch to interact with my company's active directory,
and I receive a segfault, in libraries/liblbver/decode.c . the 'gist' of the
command I executed was:
ldapsearch.exe -h companyADserver -b cn=users,dc=company,dc=com -s sub '(cn=z*)'
cn
the gdb backtrace is (omitting all the (arg=val) items for brevity:
#0 ber_get_stringbvl (...) at decode.c:445
#1 0x0000000100435781 in ber_scanf (...) at decode.c:820
#2 0x000000010041a605 in ldap_get_attribute_ber (...) at getattr.c:149
#3 0x0000000100401d93 in print_entry (...) at ldapsearch.c:1758
#5 0x000000010043bfd7 in main (...) at ldapsearch.c:1510
and digging around - here is what I see going on. in decode.c, during the
ber_get_stringbvl function, the passed in b (aka cookie from caller), has the
following values:
{choice = BvOff, option = 0, siz = 1, off = 4294967296, result = 0x800055410}
notice that off is 0x100000000 - a likely ridiculous (and thus a possible MAGIC)
value. examining in ber_scanf, looking at the memory for the va_args - i.e.
examining ap - I see (sure enough) 0x100000000...
As a hacky temporary workaround - I added to my ber_get_stringbvl , before even
pulling the tag:
} res;
+ if (b->off == 0x100000000)
+ return LBER_DEFAULT;
tag = ber_skip_tag( ber, &bv.bv_len );
I did try rewinding my source back to OPENLDAP_REL_ENG_2_4_40 (2014) and then to
OPENLDAP_REL_ENG_2_4_30 (2012) - and both compilations still yielded the
segfault
error I described above.
I'm afraid I do not know much about ldap or active directory - so I easily might
be
omitting something relevant, and/or completely missing the mark in different
ways.
Feel free to ask me for more information, and/or suggest what I might try out.
Thanks,
Lexi