[src/trunk]: src/external/bsd/openldap/dist/servers/slapd/overlays Apply: htt...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/4ce313988391
branches:  trunk
changeset: 806176:4ce313988391
user:      christos <christos%NetBSD.org@localhost>
date:      Sat Feb 07 17:58:23 2015 +0000

description:
Apply: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;\
    h=c32e74763f77675b9e144126e375977ed6dc562c
The deref overlay in slapd 2.4.13 through 2.4.40 dereferences a NULL
pointer when a search request includes the Deref control with an empty
list of attributes to return (missing input validation). [CVE-2015-1545]

XXX: Pullup-7

diffstat:

 external/bsd/openldap/dist/servers/slapd/overlays/deref.c |  5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diffs (19 lines):

diff -r 0cfcce3b26d7 -r 4ce313988391 external/bsd/openldap/dist/servers/slapd/overlays/deref.c
--- a/external/bsd/openldap/dist/servers/slapd/overlays/deref.c Sat Feb 07 17:56:59 2015 +0000
+++ b/external/bsd/openldap/dist/servers/slapd/overlays/deref.c Sat Feb 07 17:58:23 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: deref.c,v 1.1.1.3 2014/05/28 09:58:52 tron Exp $       */
+/*     $NetBSD: deref.c,v 1.2 2015/02/07 17:58:23 christos Exp $       */
 
 /* deref.c - dereference overlay */
 /* $OpenLDAP$ */
@@ -185,7 +185,8 @@
                ber_len_t cnt = sizeof(struct berval);
                ber_len_t off = 0;
 
-               if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR )
+               if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR
+                       || !cnt )
                {
                        rs->sr_text = "Dereference control: derefSpec decoding error";
                        rs->sr_err = LDAP_PROTOCOL_ERROR;