openldap: double free in get_vrFilter (CVE-2015-1546)
Double free vulnerability in the get_vrFilter function in servers/slapd/filter.c in OpenLDAP 2.4.40 allows remote attackers to cause a denial of service (crash) via a crafted search query with a matched values control.
When a program calls free() twice with the same argument, the program’s memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.
References:
http://seclists.org/oss-sec/2015/q1/452
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1546
CONFIRM:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a
http://cwe.mitre.org/data/definitions/415.html
(from redmine: issue id 3965, created on 2015-03-09, closed on 2015-03-16)
- Changesets:
- Revision b4946d66 by Natanael Copa on 2015-03-10T13:05:45Z:
main/openldap: security fix for CVE-2015-1545,CVE-2015-1546
ref #3965
ref #3966
fixes #3970
- Revision 27b14baf by Natanael Copa on 2015-03-10T13:55:52Z:
main/openldap: security fix for CVE-2015-1545,CVE-2015-1546
ref #3965
ref #3966
fixes #3969
- Revision ae0ea5cd by Natanael Copa on 2015-03-10T14:46:32Z:
main/openldap: security fix for CVE-2015-1545,CVE-2015-1546
ref #3965
ref #3966
fixes #3968
- Revision c35d8ac2 by Natanael Copa on 2015-03-10T14:57:48Z:
main/openldap: security fix for CVE-2015-1545,CVE-2015-1546
ref #3965
ref #3966
fixes #3967