Andrey Slepykh created DIRAPI-400:
-------------------------------------
Summary: Hang in LDAP URL parser
Key: DIRAPI-400
URL: https://issues.apache.org/jira/browse/DIRAPI-400
Project: Directory Client API
Issue Type: Bug
Affects Versions: 2.1.6
Reporter: Andrey Slepykh
Attachments: Reproducer.java
Hello, we have found a problem in LDAP URL parser in version 2.1.6 while
fuzzing. The problem is that LDAP parser can not properly handle specially
crafted inputs and just hangs.
{{Steps to reproduce:}}
~1. Download Apache Directory LDAP API v2.1.6:~
^wget wget
[https://github.com/apache/directory-ldap-api/archive/refs/tags/2.1.6.tar.gz]^
^tar xf 2.1.6.tar.gz && rm 2.1.6.tar.gz^
{{2. Compile the project (we used jdk-11 and mvn-3.9.6):}}
{{^cd directory-ldap-api-2.1.6^}}
{{^mvn clean package^}}
{{3. Get the reproducer:}}
{{^mkdir fuzz && cd fuzz^}}
{{^mv <path/to/reproducer>/Reproducer.java .^}}
{{4. Compile the reproducer:}}
{{^javac -cp ../ldap/model/target/classes/ ./Reproducer.java^}}
{{5. Reproduce the hang:}}
{{^java -cp
../ldap/model/target/classes/:.:../util/target/classes/:../integ-osgi/target/dependency/slf4j-api-1.7.26.jar:../i18n/target/classes/
Reproducer^}}
We decided to fuzz this function, because it is used in Apache Directory Server
Found by Linux Verification Center (portal.linuxtesting.ru) with Jazzer.
Author L.Reviakin (l.revia...@fobos-nt.ru)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
