Fix freeing uninitialized memory in LDAP sort control parsing#88
Closed
iliaal wants to merge 2 commits into
Closed
Fix freeing uninitialized memory in LDAP sort control parsing#88iliaal wants to merge 2 commits into
iliaal wants to merge 2 commits into
Conversation
iliaal
force-pushed
the
fix-ldap-sort-control
branch
from
a699ff3 to
1ac9a73
Compare
iliaal
force-pushed
the
fix-ldap-sort-control
branch
from
1ac9a73 to
d2ad57b
Compare
_php_ldap_control_from_array() allocated the sort_keys array with safe_emalloc() and only wrote its NULL terminator after the per-key loop finished. A sort key missing the "attr" entry makes the loop bail out early, leaving the array partially uninitialized; the failure cleanup then walks it as a NULL-terminated list and calls efree() on the uninitialized slots. Allocate the array zeroed with ecalloc() so the unwritten slots are NULL. Reachable from userland via the $controls argument of ldap_search() and the other control-taking LDAP functions. Closes phpGH-22342
iliaal
force-pushed
the
fix-ldap-sort-control
branch
from
d2ad57b to
f0450fa
Compare
Owner
Author
|
Submitted upstream as php#22342. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ldap_search() and the other control-taking LDAP functions free uninitialized memory when a sort control is built from a malformed key list. php_ldap_control_from_array() allocates sort_keys with safe_emalloc() and writes the NULL terminator only after the per-key loop completes, but a sort key missing the "attr" entry makes the loop bail out early via a ValueError, leaving the tail of the array uninitialized. The failure cleanup then walks sort_keys as a NULL-terminated list and calls efree() on an uninitialized slot, freeing a garbage pointer. Allocating with ecalloc() makes the unwritten slots NULL so the cleanup stops at the first one.
The crash is reachable before any server connection: ldap_search($ld, $base, $filter, controls: [["oid" => LDAP_CONTROL_SORTREQUEST, "value" => [["attr" => "cn"], ["reverse" => true]]]]) aborts under ASAN.