bz #605448 CVE-2010-0211 openldap: modrdn processing uninitialized pointer free bz #605452 CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference diff -urp openldap-2.4.22/servers/slapd/dn.c openldap-2.4.22.new/servers/slapd/dn.c --- openldap-2.4.22/servers/slapd/dn.c 2010-04-13 22:23:14.000000000 +0200 +++ openldap-2.4.22.new/servers/slapd/dn.c 2010-07-19 17:57:51.974346501 +0200 @@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f ava->la_attr = ad->ad_cname; if( ava->la_flags & LDAP_AVA_BINARY ) { - if( ava->la_value.bv_len == 0 ) { - /* BER encoding is empty */ - return LDAP_INVALID_SYNTAX; - } + /* AVA is binary encoded, not supported */ + return LDAP_INVALID_SYNTAX; /* Do not allow X-ORDERED 'VALUES' naming attributes */ } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { return LDAP_INVALID_SYNTAX; - /* AVA is binary encoded, don't muck with it */ } else if( flags & SLAP_LDAPDN_PRETTY ) { transf = ad->ad_type->sat_syntax->ssyn_pretty; if( !transf ) { @@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f ava->la_value = bv; ava->la_flags |= LDAP_AVA_FREE_VALUE; } + /* reject empty values */ + if (!ava->la_value.bv_len) { + return LDAP_INVALID_SYNTAX; + } } rc = LDAP_SUCCESS; diff -urp openldap-2.4.22/servers/slapd/modrdn.c openldap-2.4.22.new/servers/slapd/modrdn.c --- openldap-2.4.22/servers/slapd/modrdn.c 2010-04-13 22:23:16.000000000 +0200 +++ openldap-2.4.22.new/servers/slapd/modrdn.c 2010-07-19 17:57:51.975346274 +0200 @@ -445,12 +445,19 @@ slap_modrdn2mods( mod_tmp->sml_values[1].bv_val = NULL; if( desc->ad_type->sat_equality->smr_normalize) { mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); - (void) (*desc->ad_type->sat_equality->smr_normalize)( + rs->sr_err = desc->ad_type->sat_equality->smr_normalize( SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, desc->ad_type->sat_syntax, desc->ad_type->sat_equality, &mod_tmp->sml_values[0], &mod_tmp->sml_nvalues[0], NULL ); + if (rs->sr_err != LDAP_SUCCESS) { + ch_free(mod_tmp->sml_nvalues); + ch_free(mod_tmp->sml_values[0].bv_val); + ch_free(mod_tmp->sml_values); + ch_free(mod_tmp); + goto done; + } mod_tmp->sml_nvalues[1].bv_val = NULL; } else { mod_tmp->sml_nvalues = NULL; diff -urp openldap-2.4.22/servers/slapd/schema_init.c openldap-2.4.22.new/servers/slapd/schema_init.c --- openldap-2.4.22/servers/slapd/schema_init.c 2010-04-14 20:12:15.000000000 +0200 +++ openldap-2.4.22.new/servers/slapd/schema_init.c 2010-07-19 17:57:51.978346712 +0200 @@ -1735,8 +1735,9 @@ UTF8StringNormalize( ? LDAP_UTF8_APPROX : 0; val = UTF8bvnormalize( val, &tmp, flags, ctx ); + /* out of memory or syntax error, the former is unlikely */ if( val == NULL ) { - return LDAP_OTHER; + return LDAP_INVALID_SYNTAX; } /* collapse spaces (in place) */