Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-28370

Prevent LDAP authorization crash when parsing null valued attributes

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • 3.4.2
    • 3.4.3, 3.5.5
    • Internal Client
    • None
    • Fully Compatible
    • ALL
    • v3.4
    • Platforms 2017-03-27

    Description

      RFC4511 allows LDAP searches to return empty attributes which have no values:

      4.1.7. Attribute and PartialAttribute

      Attributes and partial attributes consist of an attribute description
      and attribute values. A PartialAttribute allows zero values, while
      Attribute requires at least one value.

      PartialAttribute ::= SEQUENCE {
      type AttributeDescription,
      vals SET OF value AttributeValue }

      4.5.2. Search Result

      The results of the Search operation are returned as zero or more
      SearchResultEntry and/or SearchResultReference messages, followed by
      a single SearchResultDone message.

      SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
      objectName LDAPDN,
      attributes PartialAttributeList }

      PartialAttributeList ::= SEQUENCE OF
      partialAttribute PartialAttribute

      SearchResultReference ::= [APPLICATION 19] SEQUENCE
      SIZE (1..MAX) OF uri URI

      SearchResultDone ::= [APPLICATION 5] LDAPResult

      Servers conforming to this specification do not need to return any values for a particular attribute.

      libldap appears to return a NULL pointer when ldap_get_values_len is called for an attribute without values, instead of an array containing a NULL pointer. libldap more commonly returns a NULL pointer on error. However, this condition is not considered an error, so no result code is set on the LDAP session handle.

      We should correctly handle this case.

      Attachments

        Activity

          People

            spencer.jackson@mongodb.com Spencer Jackson
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: