CVE-2006-0453

An attacker sends a crafted "bad BER sequence" (such as those from the ProtoVer LDAP test suite) to the Fedora Directory Server over the LDAP network protocol. When the server parses the malformed BER-encoded data with ber_scanf, a ber_read failure inside ber_get_stringa leaves an allocated but uninitialized buffer. The caller then frees this uninitialized memory, causing a crash. A similar problem exists for ber_scanf 'v'/'V' array reads, where uninitialized array elements lead to a free of uninitialized memory [ref_id=1].

Multiple files in the Fedora Directory Server were patched, including repl5_total.c, repl_controls.c, repl_extop.c, add.c, ava.c, bind.c, compare.c, delete.c, filter.c, and modify.c [ref_id=1]. The advisory identifies that the core defect lies in how callers handle a failing ber_scanf — particularly when ber_get_stringa returns an allocated but uninitialized buffer after a ber_read error, and when 'v'/'V' array reads leave uninitialized array elements [ref_id=1].

The patch modifies multiple source files (e.g., repl5_total.c, add.c, bind.c, filter.c, modify.c, etc.) so that after every ber_scanf call, callers properly clean up memory even when ber_scanf returns an error. This ensures that any buffer allocated by ber_get_stringa—or any uninitialized array element from 'v'/'V' parsing—is freed or NULL-initialized before use. The fix closes the gap between "ber_scanf returned an error" and "memory was still allocated," preventing the free of uninitialized memory that leads to a crash [ref_id=1].