From 0c53a5e5dcca82dfa57a209c350c77db1572a7c6 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 20 Sep 2025 23:53:52 +0200
Subject: [PATCH] openldap: check ldap_get_option() return codes

Do not just assume that they always work.

Reported in Joshua's sarif data

Closes #18653
---
 lib/openldap.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/openldap.c b/lib/openldap.c
index 717739b68d..7d25d18421 100644
--- a/lib/openldap.c
+++ b/lib/openldap.c
@@ -538,7 +538,8 @@ static CURLcode oldap_ssl_connect(struct Curl_easy *data, ldapstate newstate)
       Sockbuf *sb;
 
       /* Install the libcurl SSL handlers into the sockbuf. */
-      ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb);
+      if(ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb) != LDAP_OPT_SUCCESS)
+        return CURLE_FAILED_INIT;
       ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, data);
       li->recv = conn->recv[FIRSTSOCKET];
       li->send = conn->send[FIRSTSOCKET];
@@ -951,7 +952,8 @@ static CURLcode oldap_disconnect(struct Curl_easy *data,
 #ifdef USE_SSL
       if(ssl_installed(conn)) {
         Sockbuf *sb;
-        ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb);
+        if(ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb) != LDAP_OPT_SUCCESS)
+          return CURLE_FAILED_INIT;
         ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, data);
       }
 #endif
@@ -986,7 +988,8 @@ static CURLcode oldap_do(struct Curl_easy *data, bool *done)
   if(ssl_installed(conn)) {
     Sockbuf *sb;
     /* re-install the libcurl SSL handlers into the sockbuf. */
-    ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb);
+    if(ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb) != LDAP_OPT_SUCCESS)
+      return CURLE_FAILED_INIT;
     ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, data);
   }
 #endif
-- 
2.47.3