[DIRAPI-400] Hang in LDAP URL parser - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.1.6
Fix Version/s: 2.1.7
Labels:
None

Description

Hello, we have found a problem in LDAP URL parser in version 2.1.6 while fuzzing. The problem is that LDAP parser can not properly handle specially crafted inputs and just hangs.

Steps to reproduce:
_{1. Download Apache Directory LDAP API v2.1.6:}
^{wget wget https://github.com/apache/directory-ldap-api/archive/refs/tags/2.1.6.tar.gz}
^{tar xf 2.1.6.tar.gz && rm 2.1.6.tar.gz}

2. Compile the project (we used jdk-11 and mvn-3.9.6):
^{cd directory-ldap-api-2.1.6}
^{mvn clean package}

3. Get the reproducer:
^{mkdir fuzz && cd fuzz}
^{mv <path/to/reproducer>/Reproducer.java .}

4. Compile the reproducer:
^{javac -cp ../ldap/model/target/classes/ ./Reproducer.java}

5. Reproduce the hang:
^{java -cp ../ldap/model/target/classes/:.:../util/target/classes/:../integ-osgi/target/dependency/slf4j-api-1.7.26.jar:../i18n/target/classes/ Reproducer}

We decided to fuzz this function, because it is used in Apache Directory Server

Found by Linux Verification Center (portal.linuxtesting.ru) with Jazzer.
Author L.Reviakin (L.reviakin@fobos-nt.ru)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Reproducer.java
27/May/24 16:35
0.4 kB
Andrey Slepykh

Activity

People

Assignee:: Unassigned

Reporter:: Andrey Slepykh

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 27/May/24 16:35

Updated:: 28/May/24 08:41

Resolved:: 28/May/24 08:41