From: Howard Chu <hyc@openldap.org>
Date: Tue, 6 Aug 2024 15:18:36 +0000 (+0100)
Subject: ITS#10247 libldap: reject unrecognized critical URL extensions
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4fc6a3c064334c38b9e1c3cf8cded4cdc86f43e5;p=thirdparty%2Fopenldap.git

ITS#10247 libldap: reject unrecognized critical URL extensions
---

diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c
index 1fff2a4c73..5ed10e9a22 100644
--- a/libraries/libldap/request.c
+++ b/libraries/libldap/request.c
@@ -528,9 +528,10 @@ ldap_new_connection( LDAP *ld, LDAPURLDesc **srvlist, int use_ldsb,
 	ld->ld_conns = lc;
 
 	if ( connect ) {
-#ifdef HAVE_TLS
 		if ( lc->lconn_server->lud_exts ) {
-			int rc, ext = find_tls_ext( lc->lconn_server );
+			int rc, ext, crit = 0;
+#ifdef HAVE_TLS
+			ext = find_tls_ext( lc->lconn_server );
 			if ( ext ) {
 				LDAPConn	*savedefconn;
 
@@ -547,14 +548,23 @@ ldap_new_connection( LDAP *ld, LDAPURLDesc **srvlist, int use_ldsb,
 				LDAP_REQ_LOCK_IF(m_req);
 				ld->ld_defconn = savedefconn;
 				--lc->lconn_refcnt;
+				if ( ext == 2 ) {
+					crit++;
 
-				if ( rc != LDAP_SUCCESS && ext == 2 ) {
-					ldap_free_connection( ld, lc, 1, 0 );
-					return NULL;
+					if ( rc != LDAP_SUCCESS ) {
+						ldap_free_connection( ld, lc, 1, 0 );
+						return NULL;
+					}
 				}
 			}
-		}
 #endif
+			if ( crit != lc->lconn_server->lud_crit_exts ) {
+				/* there were unrecognized critical extensions */
+				ldap_free_connection( ld, lc, 1, 0 );
+				ld->ld_errno = LDAP_NOT_SUPPORTED;
+				return NULL;
+			}
+		}
 	}
 
 	if ( bind != NULL ) {