openldap: limit max incoming size

Set the maximum allowed size of an incoming LDAP message, which to
OpenLDAP means that it allows malloc() up to this size. If not set,
there is no limit and we instead risk a malloc() failure.

The limit is arbitrarily set to 256K as I can't figure out what a
reasonable value should be.

OpenLDAP docs: https://openldap.org/software/man.cgi?query=lber-sockbuf&apropos=0&sektion=0&manpath=OpenLDAP+2.6-Release&arch=default&format=html

Bug: https://issues.oss-fuzz.com/issues/432441303
Closes #19087

diff --git a/lib/openldap.c b/lib/openldap.c
index b8afe99529e16e813e74ad32b06d00aa890f7a44..1b26b6e1b4d94a4c12d5712258e582687e6d13aa 100644 (file)
--- a/lib/openldap.c
+++ b/lib/openldap.c
@@ -659,6 +659,19 @@ static CURLcode oldap_connect(struct Curl_easy *data, bool *done)
   /* Do not chase referrals. */
   ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
 
+  {
+    ber_len_t max = 256*1024;
+    Sockbuf *sb;
+    if(ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, (void **)&sb) ||
+       /* Set the maximum allowed size of an incoming message, which to
+          OpenLDAP means that it will malloc() memory up to this size. If not
+          set, there is no limit and we instead risk a malloc() failure. */
+       ber_sockbuf_ctrl(sb, LBER_SB_OPT_SET_MAX_INCOMING, &max)) {
+      result = CURLE_FAILED_INIT;
+      goto out;
+    }
+  }
+
 #ifdef USE_SSL
   if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
     result = oldap_ssl_connect(data, OLDAP_SSL);