Fix panic on malformed LDAP responses (#586)

Bahtya · web-flow · commit 5937e979b628 · 2026-04-04T19:55:26.000+02:00
Six operations (Add, Del, Compare, Modify, ModifyDN, PasswordModify) access packet.Children[1] without bounds checking. A malformed BER response with fewer than 2 children causes a panic (index out of range). Add len(packet.Children) < 2 guard in all affected functions, returning a descriptive error instead of panicking. Fixes #585 Co-authored-by: bahtya <bahtyar153@qq.com>
diff --git a/v3/add.go b/v3/add.go
@@ -83,6 +83,9 @@ func (l *Conn) Add(addRequest *AddRequest) error {
 		return err
 	}
 
+	if len(packet.Children) < 2 {
+		return fmt.Errorf("ldap: malformed response: expected at least 2 children, got %d", len(packet.Children))
+	}
 	if packet.Children[1].Tag == ApplicationAddResponse {
 		err := GetLDAPError(packet)
 		if err != nil {
diff --git a/v3/compare.go b/v3/compare.go
@@ -46,6 +46,9 @@ func (l *Conn) Compare(dn, attribute, value string) (bool, error) {
 		return false, err
 	}
 
+	if len(packet.Children) < 2 {
+		return false, fmt.Errorf("ldap: malformed response: expected at least 2 children, got %d", len(packet.Children))
+	}
 	if packet.Children[1].Tag == ApplicationCompareResponse {
 		err := GetLDAPError(packet)
 
diff --git a/v3/del.go b/v3/del.go
@@ -52,6 +52,9 @@ func (l *Conn) Del(delRequest *DelRequest) error {
 		return err
 	}
 
+	if len(packet.Children) < 2 {
+		return fmt.Errorf("ldap: malformed response: expected at least 2 children, got %d", len(packet.Children))
+	}
 	if packet.Children[1].Tag == ApplicationDelResponse {
 		err := GetLDAPError(packet)
 		if err != nil {
diff --git a/v3/moddn.go b/v3/moddn.go
@@ -89,6 +89,9 @@ func (l *Conn) ModifyDN(m *ModifyDNRequest) error {
 		return err
 	}
 
+	if len(packet.Children) < 2 {
+		return fmt.Errorf("ldap: malformed response: expected at least 2 children, got %d", len(packet.Children))
+	}
 	if packet.Children[1].Tag == ApplicationModifyDNResponse {
 		err := GetLDAPError(packet)
 		if err != nil {
diff --git a/v3/modify.go b/v3/modify.go
@@ -121,6 +121,9 @@ func (l *Conn) Modify(modifyRequest *ModifyRequest) error {
 		return err
 	}
 
+	if len(packet.Children) < 2 {
+		return fmt.Errorf("ldap: malformed response: expected at least 2 children, got %d", len(packet.Children))
+	}
 	if packet.Children[1].Tag == ApplicationModifyResponse {
 		err := GetLDAPError(packet)
 		if err != nil {
@@ -159,6 +162,10 @@ func (l *Conn) ModifyWithResult(modifyRequest *ModifyRequest) (*ModifyResult, er
 		return nil, err
 	}
 
+	if len(packet.Children) < 2 {
+		return nil, fmt.Errorf("ldap: malformed response: expected at least 2 children, got %d", len(packet.Children))
+	}
+
 	switch packet.Children[1].Tag {
 	case ApplicationModifyResponse:
 		if err = GetLDAPError(packet); err != nil {
diff --git a/v3/passwdmodify.go b/v3/passwdmodify.go
@@ -93,6 +93,9 @@ func (l *Conn) PasswordModify(passwordModifyRequest *PasswordModifyRequest) (*Pa
 
 	result := &PasswordModifyResult{}
 
+	if len(packet.Children) < 2 {
+		return nil, fmt.Errorf("ldap: malformed response: expected at least 2 children, got %d", len(packet.Children))
+	}
 	if packet.Children[1].Tag == ApplicationExtendedResponse {
 		if err = GetLDAPError(packet); err != nil {
 			result.Referral = getReferral(err, packet)

Original file line number	Diff line number	Diff line change
`@@ -83,6 +83,9 @@ func (l Conn) Add(addRequest AddRequest) error {`
`83`	`83`	`return err`
`84`	`84`	`}`
`85`	`85`
	`86`	`+ if len(packet.Children) < 2 {`
	`87`	`+ return fmt.Errorf("ldap: malformed response: expected at least 2 children, got %d", len(packet.Children))`
	`88`	`+ }`
`86`	`89`	`if packet.Children[1].Tag == ApplicationAddResponse {`
`87`	`90`	`err := GetLDAPError(packet)`
`88`	`91`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,9 @@ func (l *Conn) Compare(dn, attribute, value string) (bool, error) {`
`46`	`46`	`return false, err`
`47`	`47`	`}`
`48`	`48`
	`49`	`+ if len(packet.Children) < 2 {`
	`50`	`+ return false, fmt.Errorf("ldap: malformed response: expected at least 2 children, got %d", len(packet.Children))`
	`51`	`+ }`
`49`	`52`	`if packet.Children[1].Tag == ApplicationCompareResponse {`
`50`	`53`	`err := GetLDAPError(packet)`
`51`	`54`
Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,9 @@ func (l Conn) Del(delRequest DelRequest) error {`
`52`	`52`	`return err`
`53`	`53`	`}`
`54`	`54`
	`55`	`+ if len(packet.Children) < 2 {`
	`56`	`+ return fmt.Errorf("ldap: malformed response: expected at least 2 children, got %d", len(packet.Children))`
	`57`	`+ }`
`55`	`58`	`if packet.Children[1].Tag == ApplicationDelResponse {`
`56`	`59`	`err := GetLDAPError(packet)`
`57`	`60`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,9 @@ func (l Conn) ModifyDN(m ModifyDNRequest) error {`
`89`	`89`	`return err`
`90`	`90`	`}`
`91`	`91`
	`92`	`+ if len(packet.Children) < 2 {`
	`93`	`+ return fmt.Errorf("ldap: malformed response: expected at least 2 children, got %d", len(packet.Children))`
	`94`	`+ }`
`92`	`95`	`if packet.Children[1].Tag == ApplicationModifyDNResponse {`
`93`	`96`	`err := GetLDAPError(packet)`
`94`	`97`	`if err != nil {`