Suse Team reviewed source of OpenLDAP version 2.0.23.

Some bugs has been correct in version 2.0.27, so I {vserge@altlinux.ru} remove it from suse patch. This is patches for files 
 - servers/slapd/acl.c
 - libraries/libldap/dnssrv.c
 - servers/slurpd/reject.c
 - libraries/libldap/url.c




OpenLDAP 2.0.33 review
======================

reviewd:

In general I audited all c-files in following subdirs:

openldap-2.0.23/libraries/libldap
openldap-2.0.23/libraries/liblber
openldap-2.0.23/servers/slapd
openldap-2.0.23/servers/slurpd

except files/functions which have trusted input like
from config-files or scheme-definitions. In liblber
I focused on io.c and decode.c because they handle highly
untrusted input from the net.

openldap-2.0.23/libraries/liblber

Good quality ASN.1 decoding, no signedness issues
or alike. Always checks whether the length provided
in the ASN.1 objects make sense.
I am just not sure wether ber_realloc() is clean
with its recalculation of the offsets.


openldap-2.0.23/libraries/libldap:

Audited *.c except scheme.c and files with a main i.e.
testprograms which are obviously not part of ldap server
or client.

	dnsserv:274

	if (cur > 0) {
		/* not first time around */
		hostlist[cur++] = ' ';
	}

	This is probably an off-by-one. I miss the +1 in buflen
	for the ' '.

	++++++++++++++++++

	getfilter.c function ldap_build_filter()

	I do not think the strcpy() are safe

	++++++++++++++++++

	init.c

	these functions should never be called from SUID's.
 	(pam_ldap followup)

	+++++++++++++++++

	tmplout.c function do_entry2text() et al

	Lots unsafe sprintf() and strcpy(). It also produces some HTML output
	which may contain javascript and is suspected to be vulnerable
	to what is called 'cross site scripting'.

	+++++++++++++++++

	url.c function ldap_pvt_hex_unescape()

	AFAIS this function can overflow for url's like
	http://blah%\0blub because in the loop 's' ptr jumps over
	the 0-termination if the last character is a %.
	
openldap-2.0.23/servers/slapd:

	acl.c:1537

	Sure the characters all fit into target?

	++++++++++++++++++

	lock.c function lock_fopen()

	Overflow, but with no impact since input isnt usercontrolled.

	+++++++++++++++++++

	back-passwd/search.c function pw2entry()

	Overflows via sprintf() and strcpy()/strcat(). Could use snprintf().
	Even if the input is from passwd-file it may overflow since
	some parts are usercontrolled.

	+++++++++++++++++++

	back-sql/

	Looks like it is possible to inject SQL commands into queries. This may
	be bad if SQL is used for authentication and remote attackers use the
	authentication query to inject new accounts.


openldap-2.0.23/servers/slurpd:

	args.c function doargs()

	Should use snprintf()

	++++++++++++++++++++

	lock.c

	Same issue as with slapd.

	++++++++++++++++++++

	reject.c function write_reject()

	Overflow via sprintf(). rejectfile should be opened with
	O_EXCL. The access() does not suffice because there is a race
	condition. Also make sure the produced .rej file cant contain
	"../../" characters (should not be depending on resolver.
	since filename is constructed from hostname it cant contain '/'
	no?)

	++++++++++++++++++++

	sanity.c filecheck()

	Overflow.

