Ticket #571 (closed defect: fixed)

Opened 15 months ago

Last modified 7 weeks ago

server does not accept 0 length LDAP Control sequence

Reported by: rmeggins Owned by: tbordaz
Priority: major Milestone: 1.3.1
Component: Directory Server Version: 1.2.11
Keywords: Cc:
Blocked By: Blocking:
Review: ack Ticket origin: Community
Red Hat Bugzilla: 918717

Description

If a request is made with LDAP controls attached, but the controls have length 0, the server will err=2, failed to decode LDAP controls. This worked fine with mozldap but doesn't work with openldap.

Attachments

ticket571_testcase.tar.gz (2.1 KB) - added by tbordaz 4 months ago.
0002-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch (1.6 KB) - added by nhosoi 7 weeks ago.
git patch file (389-ds-base-1.3.1) -- covscan Defect type: COMPILER_WARNING

Change History

comment:1 Changed 15 months ago by nkinder

  • Milestone changed from 0.0 NEEDS_TRIAGE to 1.3.1

comment:2 Changed 15 months ago by nkinder

  • screened changed from 0 to 1

comment:3 Changed 15 months ago by tbordaz

  • Owner changed from rmeggins to tbordaz
  • Status changed from new to accepted

comment:4 Changed 14 months ago by tbordaz

Here is the current status

  • I reproduced the different behavior with openldap (openldap-devel-2.4.33) vs mozldap (mozldap-6.0.5)


Sending a null length known control, the operation was successfully processed with openldap


[14/Feb/2013:15:18:31 +0100] conn=3 fd=64 slot=64 connection from ::1 to ::1
[14/Feb/2013:15:18:31 +0100] conn=3 op=0 BIND dn="cn=directory manager" method=128 version=2
[14/Feb/2013:15:18:31 +0100] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Feb/2013:15:18:31 +0100] conn=3 op=1 SRCH base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Feb/2013:15:18:31 +0100] conn=3 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[14/Feb/2013:15:18:31 +0100] conn=3 op=2 UNBIND
[14/Feb/2013:15:18:31 +0100] conn=3 op=2 fd=64 closed - U1



While it was rejected with mozldap


[14/Feb/2013:15:18:53 +0100] conn=4 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1
[14/Feb/2013:15:18:53 +0100] conn=4 op=0 BIND dn="cn=directory manager" method=128 version=3
[14/Feb/2013:15:18:53 +0100] conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Feb/2013:15:18:53 +0100] conn=4 op=1 SRCH base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Feb/2013:15:18:53 +0100] conn=4 op=1 RESULT err=2 tag=101 nentries=0 etime=0
[14/Feb/2013:15:18:53 +0100] conn=4 op=-1 fd=64 closed - B1

I suppose that openldap is not sending the "invalid" control but I need to check that

Here are the next steps

  • Continue investigations

comment:5 Changed 14 months ago by tbordaz

Here are the next steps

  • Checks done by openldap while encoding the control prevents openldap to send NULL control. This is not done by mozldap and so it is rejected at the server level

Here are the next steps

  • need to discuss what should be done next

comment:6 Changed 14 months ago by rmeggins

Can we change get_ldapmessage_controls_ext() to not return an error if it sees a zero length sequence of controls?

comment:7 Changed 14 months ago by tbordaz

This is already done, if the length of sequence of control is zero. The function get_ldapmessage_controls_ext() returns LDAP_SUCCESS and the operation is continuing.

comment:8 Changed 14 months ago by nkinder

  • Red Hat Bugzilla set to [https://bugzilla.redhat.com/show_bug.cgi?id=918717 918717]

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=918717

comment:9 Changed 13 months ago by mreynolds

  • Resolution set to fixed
  • Status changed from accepted to closed

commit 36425a3d5875a05ee812c293b50eb0da44d8d39e
This commit addresses CVE-2013-0312.
git push origin 389-ds-base-1.2.11
Counting objects: 47, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (24/24), done.
Writing objects: 100% (24/24), 2.75 KiB, done.
Total 24 (delta 21), reused 0 (delta 0)
To ​ssh://git.fedorahosted.org/git/389/ds.git
f32980b..36425a3 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
git push origin master
Counting objects: 47, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (24/24), done.
Writing objects: 100% (24/24), 2.80 KiB, done.
Total 24 (delta 21), reused 0 (delta 0)
To ​ssh://git.fedorahosted.org/git/389/ds.git
da3be3f..ae13e44 master -> master
git push origin 389-ds-base-1.3.0
Counting objects: 47, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (24/24), done.
Writing objects: 100% (24/24), 2.78 KiB, done.
Total 24 (delta 21), reused 0 (delta 0)
To ​ssh://git.fedorahosted.org/git/389/ds.git
8e0a35c..21c079e 389-ds-base-1.3.0 -> 389-ds-base-1.3.0
I had to commit some changes to 1.3.0/1.2.11 for two slapi attr functions:
git push origin 389-ds-base-1.3.0
Counting objects: 17, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.20 KiB, done.
Total 9 (delta 7), reused 0 (delta 0)
To ​ssh://git.fedorahosted.org/git/389/ds.git
21c079e..1a194f0 389-ds-base-1.3.0 -> 389-ds-base-1.3.0
git push origin 389-ds-base-1.2.11
Counting objects: 17, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.28 KiB, done.
Total 9 (delta 7), reused 0 (delta 0)
To ​ssh://git.fedorahosted.org/git/389/ds.git
36425a3..a056542 389-ds-base-1.2.11 -> 389-ds-base-1.2.11

Changed 4 months ago by tbordaz

comment:10 Changed 4 months ago by tbordaz

Test case for this ticket is added in ticket571_testcase.tar.gz

It provides a ldapcsdk testcase and a perl testcase.
The ldapcsdk (makefile+search_empty_ctl.c) creates a openldap and mozldap version of the testcase. openldap can not reproduce the problem as it skips empty controls, but mozldap does not and sends the empty control

per script is an easy method to reproduce the problem

comment:11 Changed 3 months ago by tbordaz

Backport in 1.3.1

git push origin 389-ds-base-1.3.1

Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.42 KiB, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git

b143477..dea2a25 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

Changed 7 weeks ago by nhosoi

git patch file (389-ds-base-1.3.1) -- covscan Defect type: COMPILER_WARNING

comment:12 Changed 7 weeks ago by rmeggins

  • Review set to ack

comment:13 Changed 7 weeks ago by nhosoi

Reviewed by Rich (Thank you!!)

Pushed to master:

272bd14..383db4a master -> master
commit 383db4a27cc417c1708989d84cf0e4445936ae9f

Pushed to 389-ds-base-1.3.2:

5bf85e6..8b92149 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
commit 8b92149bf229d12052a2f349611e5f639fc57ef8

Pushed to 389-ds-base-1.3.2:

4f9ec32..86b76ef 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit 86b76ef2466659efd31b07bc02b02daf444a9cde

Note: See TracTickets for help on using tickets.