Fix freeing uninitialized memory in LDAP sort control parsing#22342
Open
iliaal wants to merge 1 commit into
Open
Fix freeing uninitialized memory in LDAP sort control parsing#22342iliaal wants to merge 1 commit into
iliaal wants to merge 1 commit into
Conversation
_php_ldap_control_from_array() allocated the sort_keys array with safe_emalloc() and only wrote its NULL terminator after the per-key loop finished. A sort key missing the "attr" entry makes the loop bail out early, leaving the array partially uninitialized; the failure cleanup then walks it as a NULL-terminated list and calls efree() on the uninitialized slots. Allocate the array zeroed with ecalloc() so the unwritten slots are NULL. Reachable from userland via the $controls argument of ldap_search() and the other control-taking LDAP functions. Closes phpGH-22342
iliaal
force-pushed
the
fix-ldap-sort-control
branch
from
d2ad57b to
f0450fa
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
_php_ldap_control_from_array() allocated the sort_keys array with safe_emalloc() and wrote its NULL terminator only after the per-key loop. A sort key missing the "attr" entry bails out of the loop early, so the array is partially uninitialized when the failure cleanup walks it as a NULL-terminated list and efree()s the unwritten slots. Allocate it zeroed with ecalloc() so those slots read NULL; the sibling tmpstrings arrays are freed by a counter and stay safe_emalloc. Reachable from userland via the $controls argument of ldap_search() and the other control-taking LDAP functions.