13c47e0e20
CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452) obsolete configuration file moved to /usr/share/openldap-servers (#612602)
75 lines
2.9 KiB
Diff
75 lines
2.9 KiB
Diff
bz #605448 CVE-2010-0211 openldap: modrdn processing uninitialized pointer free
|
|
bz #605452 CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference
|
|
|
|
diff -urp openldap-2.4.22/servers/slapd/dn.c openldap-2.4.22.new/servers/slapd/dn.c
|
|
--- openldap-2.4.22/servers/slapd/dn.c 2010-04-13 22:23:14.000000000 +0200
|
|
+++ openldap-2.4.22.new/servers/slapd/dn.c 2010-07-19 17:57:51.974346501 +0200
|
|
@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f
|
|
ava->la_attr = ad->ad_cname;
|
|
|
|
if( ava->la_flags & LDAP_AVA_BINARY ) {
|
|
- if( ava->la_value.bv_len == 0 ) {
|
|
- /* BER encoding is empty */
|
|
- return LDAP_INVALID_SYNTAX;
|
|
- }
|
|
+ /* AVA is binary encoded, not supported */
|
|
+ return LDAP_INVALID_SYNTAX;
|
|
|
|
/* Do not allow X-ORDERED 'VALUES' naming attributes */
|
|
} else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
|
|
return LDAP_INVALID_SYNTAX;
|
|
|
|
- /* AVA is binary encoded, don't muck with it */
|
|
} else if( flags & SLAP_LDAPDN_PRETTY ) {
|
|
transf = ad->ad_type->sat_syntax->ssyn_pretty;
|
|
if( !transf ) {
|
|
@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f
|
|
ava->la_value = bv;
|
|
ava->la_flags |= LDAP_AVA_FREE_VALUE;
|
|
}
|
|
+ /* reject empty values */
|
|
+ if (!ava->la_value.bv_len) {
|
|
+ return LDAP_INVALID_SYNTAX;
|
|
+ }
|
|
}
|
|
rc = LDAP_SUCCESS;
|
|
|
|
diff -urp openldap-2.4.22/servers/slapd/modrdn.c openldap-2.4.22.new/servers/slapd/modrdn.c
|
|
--- openldap-2.4.22/servers/slapd/modrdn.c 2010-04-13 22:23:16.000000000 +0200
|
|
+++ openldap-2.4.22.new/servers/slapd/modrdn.c 2010-07-19 17:57:51.975346274 +0200
|
|
@@ -445,12 +445,19 @@ slap_modrdn2mods(
|
|
mod_tmp->sml_values[1].bv_val = NULL;
|
|
if( desc->ad_type->sat_equality->smr_normalize) {
|
|
mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
|
|
- (void) (*desc->ad_type->sat_equality->smr_normalize)(
|
|
+ rs->sr_err = desc->ad_type->sat_equality->smr_normalize(
|
|
SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
|
|
desc->ad_type->sat_syntax,
|
|
desc->ad_type->sat_equality,
|
|
&mod_tmp->sml_values[0],
|
|
&mod_tmp->sml_nvalues[0], NULL );
|
|
+ if (rs->sr_err != LDAP_SUCCESS) {
|
|
+ ch_free(mod_tmp->sml_nvalues);
|
|
+ ch_free(mod_tmp->sml_values[0].bv_val);
|
|
+ ch_free(mod_tmp->sml_values);
|
|
+ ch_free(mod_tmp);
|
|
+ goto done;
|
|
+ }
|
|
mod_tmp->sml_nvalues[1].bv_val = NULL;
|
|
} else {
|
|
mod_tmp->sml_nvalues = NULL;
|
|
diff -urp openldap-2.4.22/servers/slapd/schema_init.c openldap-2.4.22.new/servers/slapd/schema_init.c
|
|
--- openldap-2.4.22/servers/slapd/schema_init.c 2010-04-14 20:12:15.000000000 +0200
|
|
+++ openldap-2.4.22.new/servers/slapd/schema_init.c 2010-07-19 17:57:51.978346712 +0200
|
|
@@ -1735,8 +1735,9 @@ UTF8StringNormalize(
|
|
? LDAP_UTF8_APPROX : 0;
|
|
|
|
val = UTF8bvnormalize( val, &tmp, flags, ctx );
|
|
+ /* out of memory or syntax error, the former is unlikely */
|
|
if( val == NULL ) {
|
|
- return LDAP_OTHER;
|
|
+ return LDAP_INVALID_SYNTAX;
|
|
}
|
|
|
|
/* collapse spaces (in place) */
|