Closed Bug 389731 Opened 17 years ago Closed 17 years ago

PerLDAP crashes when a bad URL is passed

Categories

(Directory :: PerLDAP, defect)

Product:
Directory
Component:
PerLDAP
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nhosoi, Assigned: richm)

Details

Attachments

(2 files)

slightly different fix
4.29 KB, patch
richm
: review+
Details | Diff | Splinter Review
cvs commit log
451 bytes, text/plain
Details 
Sample input to cause the problem: "ldap://:<port>/<suffix>"
where <host> is missing.

Here's the stacktrace from the core
$ gdb `which perl` core.###
(gdb) bt
#0  0x00552b36 in Perl_newSVpv ()
  from /usr/lib/perl5/5.8.5/i386-linux-thread-multi/CORE/libperl.so
#1  0x002ba66f in XS_Mozilla__LDAP__API_ldap_url_parse (my_perl=0x9804008,  cv=0x9812d5c) at API.c:3027
#2  0x0054ca22 in Perl_pp_entersub ()
  from /usr/lib/perl5/5.8.5/i386-linux-thread-multi/CORE/libperl.so
#3  0x0052fedd in Perl_runops_debug ()
  from /usr/lib/perl5/5.8.5/i386-linux-thread-multi/CORE/libperl.so
#4  0x004e1c91 in perl_run ()
  from /usr/lib/perl5/5.8.5/i386-linux-thread-multi/CORE/libperl.so
#5  0x080493b2 in main ()
(gdb) up
#1  0x002ba66f in XS_Mozilla__LDAP__API_ldap_url_parse (my_perl=0x9804008,  cv=0x9812d5c) at API.c:3027
3027                  SV* host = newSVpv(realcomp->lud_host,0);
(gdb) p realcomp
$1 = (LDAPURLDesc *) 0x9df68d8
(gdb) p realcomp->lud_host
$2 = 0x0
(gdb) p url
$3 = 0x9d31920 "ldap://:<port>/<suffix>"

It looks newSVpv crashes if NULL is passed to the first argument.  XS_Mozilla__LDAP__API_ldap_url_parse calls newSVpv with these 2 args w/o checking the value.
         SV* host = newSVpv(realcomp->lud_host,0);
         SV* filter = newSVpv(realcomp->lud_filter,0);

Should we do something like this?
Index: API.xs
===================================================================
RCS file: /cvsroot/mozilla/directory/perldap/API.xs,v
retrieving revision 1.18.2.11
diff -t -w -U 4 -r1.18.2.11 API.xs
--- API.xs      14 Jun 2007 09:21:14 -0000      1.18.2.11
+++ API.xs      26 Jul 2007 20:31:57 -0000
@@ -1683,9 +1683,9 @@
           HV*   FullHash = newHV();
           RETVAL = newRV((SV*)FullHash);

           ret = ldap_url_parse(url,&realcomp);
-           if (ret == 0)
+           if (ret == 0 && realcomp->lud_host && realcomp->lud_filter)
           {
              static char *host_key = "host";
              static char *port_key = "port";
              static char *dn_key = "dn";
ldap_url_parse allows the host to be empty.  So we have to handle this case the same way we handle the empty dn case - just set host to an empty string.  I don't think we need to handle the filter differently - the code in url.c ldap_url_parse() in the LDAP C library will set filter to "(objectclass=*)" if NULL.
Attachment #274170 - Flags: review+
Attached file cvs commit log 

    
  
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: