Describe the bug
We use OpenDJ 5.1.0 and one of our fuzzing test is failed for decoding ACI containing malformed userdn.
Problem ACI is (version 3.0; acl ":"; allow (search) userdn="ldap://cn=name%B"; )
Error:
java.lang.ArrayIndexOutOfBoundsException: Index 49 out of bounds for length 49
at org.opends.server.types.LDAPURL.urlDecode(LDAPURL.java:693)
at org.opends.server.types.LDAPURL.decode(LDAPURL.java:335)
at org.opends.server.authorization.dseecompat.UserDN.decode(UserDN.java:89)
at org.opends.server.authorization.dseecompat.BindRule.decode(BindRule.java:407)
at org.opends.server.authorization.dseecompat.BindRule.parseAndCreateBindrule(BindRule.java:267)
at org.opends.server.authorization.dseecompat.BindRule.decode(BindRule.java:220)
at org.opends.server.authorization.dseecompat.PermBindRulePair.(PermBindRulePair.java:37)
at org.opends.server.authorization.dseecompat.PermBindRulePair.decode(PermBindRulePair.java:50)
at org.opends.server.authorization.dseecompat.AciBody.decode(AciBody.java:161)
at org.opends.server.authorization.dseecompat.Aci.decode(Aci.java:276)
Root cause is in slightly incorrect check LDAPURL class, urlDecode method.
Condition if (i+2 > length) should be if (i+2 >= length).
Test to reproduce the probem:
String aciString = "(version 3.0; acl ":"; allow (search) userdn="ldap://cn=name%B"; )";
ByteSequence aciByteString = ByteString.valueOfUtf8(aciString);
Aci.decode(aciByteString, DN.rootDN());
Describe the bug
We use OpenDJ 5.1.0 and one of our fuzzing test is failed for decoding ACI containing malformed userdn.
Problem ACI is (version 3.0; acl ":"; allow (search) userdn="ldap://cn=name%B"; )
Error:
java.lang.ArrayIndexOutOfBoundsException: Index 49 out of bounds for length 49
at org.opends.server.types.LDAPURL.urlDecode(LDAPURL.java:693)
at org.opends.server.types.LDAPURL.decode(LDAPURL.java:335)
at org.opends.server.authorization.dseecompat.UserDN.decode(UserDN.java:89)
at org.opends.server.authorization.dseecompat.BindRule.decode(BindRule.java:407)
at org.opends.server.authorization.dseecompat.BindRule.parseAndCreateBindrule(BindRule.java:267)
at org.opends.server.authorization.dseecompat.BindRule.decode(BindRule.java:220)
at org.opends.server.authorization.dseecompat.PermBindRulePair.(PermBindRulePair.java:37)
at org.opends.server.authorization.dseecompat.PermBindRulePair.decode(PermBindRulePair.java:50)
at org.opends.server.authorization.dseecompat.AciBody.decode(AciBody.java:161)
at org.opends.server.authorization.dseecompat.Aci.decode(Aci.java:276)
Root cause is in slightly incorrect check LDAPURL class, urlDecode method.
Condition if (i+2 > length) should be if (i+2 >= length).
Test to reproduce the probem:
String aciString = "(version 3.0; acl ":"; allow (search) userdn="ldap://cn=name%B"; )";
ByteSequence aciByteString = ByteString.valueOfUtf8(aciString);
Aci.decode(aciByteString, DN.rootDN());