389-ds-base/0001-Issue-7554-deref-plugin-null-pointer-dereference-if-.patch
Viktor Ashirov c824da947d Bump version to 2.9.0
- Resolves: RHEL-165978 - Replication halt caused by an incorrect setting of "nsslapd-changelogmaxage"
- Resolves: RHEL-166003 - Crash in replica_config_add when manually configuring a replica with an incorrect nsds5ReplicaRoot.
- Resolves: RHEL-166004 - Possible memory leak when using the Retro Changelog plugin.
- Resolves: RHEL-168908 - ns-slapd fails to shutdown when deferred memberof update is in progress
- Resolves: RHEL-168964 - Web console doesn't show the sub suffix of ou=foo,ou=people,dc=example,dc=com. [rhel-9]
- Resolves: RHEL-168972 - Replica installation is failing with message MDB_BAD_VALSIZE: Unsupported size of key/DB name/data, or wrong DUPFIXED [rhel-9]
- Resolves: RHEL-169530 - Rebase 389-ds-base to 2.9.x
- Resolves: RHEL-170270 - DS 12 does not handle escape char in bind user [rhel-9]
- Resolves: RHEL-170275 - dnaSharedConfig: "dnaPortNum: 0" [rhel-9]
- Resolves: RHEL-170280 - Memory leaks in syncrepl plugin during persistent search operations [rhel-9]
- Resolves: RHEL-170287 - access log - suspicious wtime  optime negative and large values in internal op [rhel-9]
- Resolves: RHEL-170477 - An online reinitialization with LMDB is terminating the receiving server [rhel-9]
- Resolves: RHEL-170480 - dsctl healthcheck DSMOLE0001 inaccurate recommendations when there is more than 1 LDAP backend [rhel-9]
- Resolves: RHEL-170651 - passwordbadwords attribute of the local password policy is not functioning [rhel-9]
- Resolves: RHEL-170732 - Memory leaks in IPA context on server restart [rhel-9]
- Resolves: RHEL-174525 - [RFE] Add OS-level thread names to all server threads [rhel-9]
- Resolves: RHEL-180717 - Online export is failing when using the option "-s" [rhel-9]
2026-06-05 14:01:37 +02:00

46 lines
1.6 KiB
Diff

From 71cda087462c7cef744555676603c7c5fde3ca55 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 3 Jun 2026 17:52:09 -0400
Subject: [PATCH 1/8] Issue 7554 - deref plugin null pointer dereference if
ber_init fails
Description:
**CWE**: CWE-476 (NULL Pointer Dereference)
A flaw in the 389 Directory Server's dereference control plugin allows an
unauthenticated attacker to crash the LDAP server when the system is under
memory pressure(OOM). The deref plugin, enabled by default, fails to check for
a memory allocation failure before using the result, causing the server
process to terminate.
CI test 'test_deref_and_access_control' already covers this fix.
relates: https://github.com/389ds/389-ds-base/issues/7554
Reviewed by: tbordaz & progier(Thanks!!)
---
ldap/servers/plugins/deref/deref.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index fc1c10f71..fc157f6d6 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -357,6 +357,12 @@ deref_parse_ctrl_value(DerefSpecList *speclist, const struct berval *ctrlbv, int
}
ber = ber_init((struct berval *)ctrlbv);
+ if (!ber) {
+ *ldapcode = LDAP_UNWILLING_TO_PERFORM;
+ *ldaperrtext = "Deref control parsing failed to initialize BER element";
+ return;
+ }
+
for (tag = ber_first_element(ber, &len, &last);
(tag != LBER_ERROR) && (tag != LBER_END_OF_SEQORSET);
tag = ber_next_element(ber, &len, last)) {
--
2.54.0