[DIRAPI-403] OutOfMemory error in Asn1Decoder for LDAP messages - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.1.6
Fix Version/s: 2.1.7
Labels:
None

Description

Hi, we have found Out Of Memory error while fuzzing Asn1Decoder for LDAP messages.

Steps to reproduce:
1. Download Apache Directory LDAP API v2.1.6:

wget wget https://github.com/apache/directory-ldap-api/archive/refs/tags/2.1.6.tar.gz
tar xf 2.1.6.tar.gz && rm 2.1.6.tar.gz

2. Compile the project (we used jdk-11 and mvn-3.9.6):

cd directory-ldap-api-2.1.6
mvn clean package

3. Get the reproducer:

mkdir fuzz && cd fuzz
mv <path/to/reproducer>/OutOfMemoryReproducer.java .

4. Compile the reproducer

javac -cp ../asn1/ber/target/classes/:../asn1/api/target/classes/:../ldap/codec/core/target/classes/:../ldap/model/target/classes/:../ldap/codec/core/target/classes/ ./OutOfMemoryReproducer.java

5. Reproduce the error:

java -Xmx2000m -cp .:../asn1/ber/target/classes/:../asn1/api/target/classes/:../ldap/codec/core/target/classes/:../ldap/model/target/classes/:../ldap/codec/core/target/classes/:../util/target/classes/:../util/target/classes/:../integ-osgi/target/dependency/slf4j-api-1.7.36.jar:../i18n/target/classes/:../integ-osgi/target/dependency/mina-core-2.2.3.jar OutOfMemoryReproducer

We think that 2000 MB is a reasonable limit and the program should not take more.

Found by Linux Verification Center (portal.linuxtesting.ru) with Jazzer.
Author L.Reviakin (L.reviakin@fobos-nt.ru)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OutOfMemoryReproducer.java
31/May/24 15:02
1 kB
Andrey Slepykh

Activity

People

Assignee:: Unassigned

Reporter:: Andrey Slepykh

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 31/May/24 15:03

Updated:: 03/Jun/24 03:11

Resolved:: 03/Jun/24 03:11