From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 30 Oct 2020 13:58:01 +0000 (+0000)
Subject:     LDAP: fix taint-check in server list walk.  Bug 2646
X-Git-Tag: exim-4.94.1~78
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/e12d2e7bc2e9f0c30a1029602e57e5ae8df1b9db

LDAP: fix taint-check in server list walk.  Bug 2646

    (cherry picked from commit 51b611aa81d7ee01243b196abc34a0e2eabd293c)
---

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index ec1b03304..9924fca5c 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -102,6 +102,11 @@ JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
 JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
       in quotes.
 
+JH/26 Bug 2646: fix a memory usage issue in ldap lookups.  Previously, when more
+      than one server was defined and depending on the platform memory layout
+      details, an internal consistency trap could be hit while walking the list
+      of servers.
+
 
 Exim version 4.94
 -----------------
diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
index ef550a08d..34908a351 100644
--- a/src/src/lookups/ldap.c
+++ b/src/src/lookups/ldap.c
@@ -1093,7 +1093,6 @@ uschar *password = NULL;
 uschar *local_servers = NULL;
 uschar *server;
 const uschar *list;
-uschar buffer[512];
 
 while (isspace(*url)) url++;
 
@@ -1254,7 +1253,7 @@ if (!eldap_default_servers && !local_servers  || p[3] != '/')
 /* Loop through the default servers until OK or FAIL. Use local_servers list
  * if defined in the lookup, otherwise use the global default list */
 list = !local_servers ? eldap_default_servers : local_servers;
-while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
+while ((server = string_nextinlist(&list, &sep, NULL, 0)))
   {
   int rc;
   int port = 0;
diff --git a/test/confs/9001 b/test/confs/9001
index a1f4ba3eb..ba5a1687f 100644
--- a/test/confs/9001
+++ b/test/confs/9001
@@ -18,7 +18,7 @@ r0:
 
 r1:
   driver = redirect
-  data = ${lookup ldap user="cn=xxx,o=yyy,c=UK" pass="secret" \
+  data = ${lookup ldap {USER="cn=xxx,o=yyy,c=UK" PASS="secret" \
          ldap:///o=zzz,c=UK,?sn?sub?(cn=foo)}}