1 files changed, 45 insertions, 0 deletions

diff --git a/debian/patches/ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch b/debian/patches/ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch
new file mode 100644
index 0000000..618eb3d
--- /dev/null
+++ b/debian/patches/ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch
@@ -0,0 +1,45 @@
+From 4bdfffd2889c0c5cdf58bebafbdc8fce4bb2bff0 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 14 Dec 2020 20:05:44 +0000
+Subject: [PATCH] ITS#9425 add more checks to ldap_X509dn2bv
+
+---
+ libraries/libldap/tls2.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index e0c82fa9f8..193d20fdfa 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -1248,6 +1248,8 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
+ 		for ( tag = ber_first_element( ber, &len, &rdn_end );
+ 			tag == LBER_SEQUENCE;
+ 			tag = ber_next_element( ber, &len, rdn_end )) {
++			if ( rdn_end > dn_end )
++				return LDAP_DECODING_ERROR;
+ 			tag = ber_skip_tag( ber, &len );
+ 			ber_skip_data( ber, len );
+ 			navas++;
+@@ -1257,7 +1259,7 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
+ 	/* Rewind and prepare to extract */
+ 	ber_rewind( ber );
+ 	tag = ber_first_element( ber, &len, &dn_end );
+-	if ( tag == LBER_DEFAULT )
++	if ( tag != LBER_SET )
+ 		return LDAP_DECODING_ERROR;
+ 
+ 	/* Allocate the DN/RDN/AVA stuff as a single block */    
+@@ -1370,6 +1372,10 @@ allocd:
+ 				/* X.690 bitString value converted to RFC4517 Bit String */
+ 				rc = der_to_ldap_BitString( &Val, &newAVA->la_value );
+ 				goto allocd;
++			case LBER_DEFAULT:
++				/* decode error */
++				rc = LDAP_DECODING_ERROR;
++				goto nomem;
+ 			default:
+ 				/* Not a string type at all */
+ 				newAVA->la_flags = 0;
+-- 
+2.20.1
+