From: Jan Klemkow Subject: aldap_parse_page_control(): fix NULL pointer deref To: tech@openbsd.org Date: Fri, 3 Jul 2026 13:47:03 +0200 Hi, This fix handels a NULL pointer dereference in all aldap_parse_page_control() functions. When the following malloc(3) call returns a valid pointer the elm pointer is used. ok? bye, Jan Index: libexec/login_ldap/aldap.c =================================================================== RCS file: /cvs/src/libexec/login_ldap/aldap.c,v diff -u -p -r1.4 aldap.c --- libexec/login_ldap/aldap.c 3 Jul 2026 11:28:31 -0000 1.4 +++ libexec/login_ldap/aldap.c 3 Jul 2026 11:43:40 -0000 @@ -460,7 +460,10 @@ aldap_parse_page_control(struct ber_elem b.br_wbuf = NULL; ober_scanf_elements(control, "ss", &oid, &encoded); ober_set_readbuf(&b, encoded, control->be_next->be_len); - elm = ober_read_elements(&b, NULL); + if ((elm = ober_read_elements(&b, NULL)) == NULL) { + ober_free(&b); + return NULL; + } if ((page = malloc(sizeof(struct aldap_page_control))) == NULL) { if (elm != NULL) Index: usr.bin/ldap/aldap.c =================================================================== RCS file: /cvs/src/usr.bin/ldap/aldap.c,v diff -u -p -r1.12 aldap.c --- usr.bin/ldap/aldap.c 3 Jul 2026 11:28:31 -0000 1.12 +++ usr.bin/ldap/aldap.c 3 Jul 2026 11:43:40 -0000 @@ -460,7 +460,10 @@ aldap_parse_page_control(struct ber_elem b.br_wbuf = NULL; ober_scanf_elements(control, "ss", &oid, &encoded); ober_set_readbuf(&b, encoded, control->be_next->be_len); - elm = ober_read_elements(&b, NULL); + if ((elm = ober_read_elements(&b, NULL)) == NULL) { + ober_free(&b); + return NULL; + } if ((page = malloc(sizeof(struct aldap_page_control))) == NULL) { if (elm != NULL) Index: usr.sbin/ypldap/aldap.c =================================================================== RCS file: /cvs/src/usr.sbin/ypldap/aldap.c,v diff -u -p -r1.51 aldap.c --- usr.sbin/ypldap/aldap.c 3 Jul 2026 11:28:31 -0000 1.51 +++ usr.sbin/ypldap/aldap.c 3 Jul 2026 11:43:40 -0000 @@ -496,7 +496,10 @@ aldap_parse_page_control(struct ber_elem b.br_wbuf = NULL; ober_scanf_elements(control, "ss", &oid, &encoded); ober_set_readbuf(&b, encoded, control->be_next->be_len); - elm = ober_read_elements(&b, NULL); + if ((elm = ober_read_elements(&b, NULL)) == NULL) { + ober_free(&b); + return NULL; + } if ((page = malloc(sizeof(struct aldap_page_control))) == NULL) { if (elm != NULL)