ITS#10247 libldap: reject unrecognized critical URL extensions

author Howard Chu <hyc@openldap.org>

Tue, 6 Aug 2024 15:18:36 +0000 (16:18 +0100)

committer Quanah Gibson-Mount <quanah@openldap.org>

Tue, 20 Aug 2024 15:39:04 +0000 (15:39 +0000)
author Howard Chu <hyc@openldap.org>
Tue, 6 Aug 2024 15:18:36 +0000 (16:18 +0100)
committer Quanah Gibson-Mount <quanah@openldap.org>
Tue, 20 Aug 2024 15:39:04 +0000 (15:39 +0000)
diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c

index 1fff2a4c736daeaf0b10cc70fd4a16585ad2392e..5ed10e9a22420b29be53a68dfc0e143480571a86 100644 (file)
--- a/libraries/libldap/request.c
+++ b/libraries/libldap/request.c
@@ -528,9 +528,10 @@ ldap_new_connection( LDAP *ld, LDAPURLDesc **srvlist, int use_ldsb,
         ld->ld_conns = lc;
  
         if ( connect ) {
-#ifdef HAVE_TLS
                 if ( lc->lconn_server->lud_exts ) {
-                       int rc, ext = find_tls_ext( lc->lconn_server );
+                       int rc, ext, crit = 0;
+#ifdef HAVE_TLS
+                       ext = find_tls_ext( lc->lconn_server );
                         if ( ext ) {
                                 LDAPConn        *savedefconn;
  
@@ -547,14 +548,23 @@ ldap_new_connection( LDAP *ld, LDAPURLDesc **srvlist, int use_ldsb,
                                 LDAP_REQ_LOCK_IF(m_req);
                                 ld->ld_defconn = savedefconn;
                                 --lc->lconn_refcnt;
+                               if ( ext == 2 ) {
+                                       crit++;
  
-                               if ( rc != LDAP_SUCCESS && ext == 2 ) {
-                                       ldap_free_connection( ld, lc, 1, 0 );
-                                       return NULL;
+                                       if ( rc != LDAP_SUCCESS ) {
+                                               ldap_free_connection( ld, lc, 1, 0 );
+                                               return NULL;
+                                       }
                                 }
                         }
-               }
  #endif
+                       if ( crit != lc->lconn_server->lud_crit_exts ) {
+                               /* there were unrecognized critical extensions */
+                               ldap_free_connection( ld, lc, 1, 0 );
+                               ld->ld_errno = LDAP_NOT_SUPPORTED;
+                               return NULL;
+                       }
+               }
         }
  
         if ( bind != NULL ) {
author	Howard Chu <hyc@openldap.org>
	Tue, 6 Aug 2024 15:18:36 +0000 (16:18 +0100)
committer	Quanah Gibson-Mount <quanah@openldap.org>
	Tue, 20 Aug 2024 15:39:04 +0000 (15:39 +0000)