- Resolves: RHEL-165978 - Replication halt caused by an incorrect setting of "nsslapd-changelogmaxage" - Resolves: RHEL-166003 - Crash in replica_config_add when manually configuring a replica with an incorrect nsds5ReplicaRoot. - Resolves: RHEL-166004 - Possible memory leak when using the Retro Changelog plugin. - Resolves: RHEL-168908 - ns-slapd fails to shutdown when deferred memberof update is in progress - Resolves: RHEL-168964 - Web console doesn't show the sub suffix of ou=foo,ou=people,dc=example,dc=com. [rhel-9] - Resolves: RHEL-168972 - Replica installation is failing with message MDB_BAD_VALSIZE: Unsupported size of key/DB name/data, or wrong DUPFIXED [rhel-9] - Resolves: RHEL-169530 - Rebase 389-ds-base to 2.9.x - Resolves: RHEL-170270 - DS 12 does not handle escape char in bind user [rhel-9] - Resolves: RHEL-170275 - dnaSharedConfig: "dnaPortNum: 0" [rhel-9] - Resolves: RHEL-170280 - Memory leaks in syncrepl plugin during persistent search operations [rhel-9] - Resolves: RHEL-170287 - access log - suspicious wtime optime negative and large values in internal op [rhel-9] - Resolves: RHEL-170477 - An online reinitialization with LMDB is terminating the receiving server [rhel-9] - Resolves: RHEL-170480 - dsctl healthcheck DSMOLE0001 inaccurate recommendations when there is more than 1 LDAP backend [rhel-9] - Resolves: RHEL-170651 - passwordbadwords attribute of the local password policy is not functioning [rhel-9] - Resolves: RHEL-170732 - Memory leaks in IPA context on server restart [rhel-9] - Resolves: RHEL-174525 - [RFE] Add OS-level thread names to all server threads [rhel-9] - Resolves: RHEL-180717 - Online export is failing when using the option "-s" [rhel-9]
46 lines
1.6 KiB
Diff
46 lines
1.6 KiB
Diff
From 71cda087462c7cef744555676603c7c5fde3ca55 Mon Sep 17 00:00:00 2001
|
|
From: Mark Reynolds <mreynolds@redhat.com>
|
|
Date: Wed, 3 Jun 2026 17:52:09 -0400
|
|
Subject: [PATCH 1/8] Issue 7554 - deref plugin null pointer dereference if
|
|
ber_init fails
|
|
|
|
Description:
|
|
|
|
**CWE**: CWE-476 (NULL Pointer Dereference)
|
|
|
|
A flaw in the 389 Directory Server's dereference control plugin allows an
|
|
unauthenticated attacker to crash the LDAP server when the system is under
|
|
memory pressure(OOM). The deref plugin, enabled by default, fails to check for
|
|
a memory allocation failure before using the result, causing the server
|
|
process to terminate.
|
|
|
|
CI test 'test_deref_and_access_control' already covers this fix.
|
|
|
|
relates: https://github.com/389ds/389-ds-base/issues/7554
|
|
|
|
Reviewed by: tbordaz & progier(Thanks!!)
|
|
---
|
|
ldap/servers/plugins/deref/deref.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
|
|
index fc1c10f71..fc157f6d6 100644
|
|
--- a/ldap/servers/plugins/deref/deref.c
|
|
+++ b/ldap/servers/plugins/deref/deref.c
|
|
@@ -357,6 +357,12 @@ deref_parse_ctrl_value(DerefSpecList *speclist, const struct berval *ctrlbv, int
|
|
}
|
|
|
|
ber = ber_init((struct berval *)ctrlbv);
|
|
+ if (!ber) {
|
|
+ *ldapcode = LDAP_UNWILLING_TO_PERFORM;
|
|
+ *ldaperrtext = "Deref control parsing failed to initialize BER element";
|
|
+ return;
|
|
+ }
|
|
+
|
|
for (tag = ber_first_element(ber, &len, &last);
|
|
(tag != LBER_ERROR) && (tag != LBER_END_OF_SEQORSET);
|
|
tag = ber_next_element(ber, &len, last)) {
|
|
--
|
|
2.54.0
|
|
|