From: Alice Akaki <akakialice@gmail.com>
Date: Mon, 3 Mar 2025 22:52:39 +0000 (-0400)
Subject: ldap: return empty buffer in ldap_tx_get_responses_dn
X-Git-Tag: suricata-8.0.0-beta1~330
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=599d33c5bfa82a04d3ccd0f5d32a2af2360f0171;p=thirdparty%2Fsuricata.git

ldap: return empty buffer in ldap_tx_get_responses_dn

Funciton ldap_tx_get_responses_dn returns empty buffer in case
the response doesn't contain the distinguished name field

Fixes: 73ae6e997f6c ("detect: add ldap.responses.dn")
---

diff --git a/doc/userguide/rules/ldap-keywords.rst b/doc/userguide/rules/ldap-keywords.rst
index d33ae02a22..1e76c99360 100644
--- a/doc/userguide/rules/ldap-keywords.rst
+++ b/doc/userguide/rules/ldap-keywords.rst
@@ -234,6 +234,12 @@ This keyword maps to the EVE fields:
    - ``ldap.responses[].compare_response.matched_dn``
    - ``ldap.responses[].extended_response.matched_dn``
 
+.. note::
+
+    If a response within the array does not contain the
+    distinguished name field, this field will be interpreted
+    as an empty buffer.
+
 Example
 ^^^^^^^
 
diff --git a/rust/src/ldap/detect.rs b/rust/src/ldap/detect.rs
index ee5a081e5c..1e80c970fe 100644
--- a/rust/src/ldap/detect.rs
+++ b/rust/src/ldap/detect.rs
@@ -371,7 +371,9 @@ unsafe extern "C" fn ldap_tx_get_responses_dn(
         ProtocolOp::ModDnResponse(resp) => resp.matched_dn.0.as_str(),
         ProtocolOp::CompareResponse(resp) => resp.matched_dn.0.as_str(),
         ProtocolOp::ExtendedResponse(resp) => resp.result.matched_dn.0.as_str(),
-        _ => return false,
+        _ => "",
+        // This ensures that the iteration continues,
+        // allowing other responses in the transaction to be processed correctly
     };
 
     *buffer = str_buffer.as_ptr();