Index | Thread | Search

From:
Jan Klemkow <jan@openbsd.org>
Subject:
aldap_parse_page_control(): fix NULL pointer deref
To:
tech@openbsd.org
Date:
Fri, 3 Jul 2026 13:47:03 +0200

Download raw body.

Thread
  • Jan Klemkow:

    aldap_parse_page_control(): fix NULL pointer deref

Hi,

This fix handels a NULL pointer dereference in all
aldap_parse_page_control() functions.  When the following malloc(3)
call returns a valid pointer the elm pointer is used.

ok?

bye,
Jan

Index: libexec/login_ldap/aldap.c
===================================================================
RCS file: /cvs/src/libexec/login_ldap/aldap.c,v
diff -u -p -r1.4 aldap.c
--- libexec/login_ldap/aldap.c	3 Jul 2026 11:28:31 -0000	1.4
+++ libexec/login_ldap/aldap.c	3 Jul 2026 11:43:40 -0000
@@ -460,7 +460,10 @@ aldap_parse_page_control(struct ber_elem
 	b.br_wbuf = NULL;
 	ober_scanf_elements(control, "ss", &oid, &encoded);
 	ober_set_readbuf(&b, encoded, control->be_next->be_len);
-	elm = ober_read_elements(&b, NULL);
+	if ((elm = ober_read_elements(&b, NULL)) == NULL) {
+		ober_free(&b);
+		return NULL;
+	}
 
 	if ((page = malloc(sizeof(struct aldap_page_control))) == NULL) {
 		if (elm != NULL)
Index: usr.bin/ldap/aldap.c
===================================================================
RCS file: /cvs/src/usr.bin/ldap/aldap.c,v
diff -u -p -r1.12 aldap.c
--- usr.bin/ldap/aldap.c	3 Jul 2026 11:28:31 -0000	1.12
+++ usr.bin/ldap/aldap.c	3 Jul 2026 11:43:40 -0000
@@ -460,7 +460,10 @@ aldap_parse_page_control(struct ber_elem
 	b.br_wbuf = NULL;
 	ober_scanf_elements(control, "ss", &oid, &encoded);
 	ober_set_readbuf(&b, encoded, control->be_next->be_len);
-	elm = ober_read_elements(&b, NULL);
+	if ((elm = ober_read_elements(&b, NULL)) == NULL) {
+		ober_free(&b);
+		return NULL;
+	}
 
 	if ((page = malloc(sizeof(struct aldap_page_control))) == NULL) {
 		if (elm != NULL)
Index: usr.sbin/ypldap/aldap.c
===================================================================
RCS file: /cvs/src/usr.sbin/ypldap/aldap.c,v
diff -u -p -r1.51 aldap.c
--- usr.sbin/ypldap/aldap.c	3 Jul 2026 11:28:31 -0000	1.51
+++ usr.sbin/ypldap/aldap.c	3 Jul 2026 11:43:40 -0000
@@ -496,7 +496,10 @@ aldap_parse_page_control(struct ber_elem
 	b.br_wbuf = NULL;
 	ober_scanf_elements(control, "ss", &oid, &encoded);
 	ober_set_readbuf(&b, encoded, control->be_next->be_len);
-	elm = ober_read_elements(&b, NULL);
+	if ((elm = ober_read_elements(&b, NULL)) == NULL) {
+		ober_free(&b);
+		return NULL;
+	}
 
 	if ((page = malloc(sizeof(struct aldap_page_control))) == NULL) {
 		if (elm != NULL)