Andrey Slepykh created DIRAPI-400: ------------------------------------- Summary: Hang in LDAP URL parser Key: DIRAPI-400 URL: https://issues.apache.org/jira/browse/DIRAPI-400 Project: Directory Client API Issue Type: Bug Affects Versions: 2.1.6 Reporter: Andrey Slepykh Attachments: Reproducer.java
Hello, we have found a problem in LDAP URL parser in version 2.1.6 while fuzzing. The problem is that LDAP parser can not properly handle specially crafted inputs and just hangs. {{Steps to reproduce:}} ~1. Download Apache Directory LDAP API v2.1.6:~ ^wget wget [https://github.com/apache/directory-ldap-api/archive/refs/tags/2.1.6.tar.gz]^ ^tar xf 2.1.6.tar.gz && rm 2.1.6.tar.gz^ {{2. Compile the project (we used jdk-11 and mvn-3.9.6):}} {{^cd directory-ldap-api-2.1.6^}} {{^mvn clean package^}} {{3. Get the reproducer:}} {{^mkdir fuzz && cd fuzz^}} {{^mv <path/to/reproducer>/Reproducer.java .^}} {{4. Compile the reproducer:}} {{^javac -cp ../ldap/model/target/classes/ ./Reproducer.java^}} {{5. Reproduce the hang:}} {{^java -cp ../ldap/model/target/classes/:.:../util/target/classes/:../integ-osgi/target/dependency/slf4j-api-1.7.26.jar:../i18n/target/classes/ Reproducer^}} We decided to fuzz this function, because it is used in Apache Directory Server Found by Linux Verification Center (portal.linuxtesting.ru) with Jazzer. Author L.Reviakin (l.revia...@fobos-nt.ru) -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org