Star7
46
代码
代码
Issues83
Pull Requests20
流水线
讨论
Wiki
分析
Star7
46
lin-qiang123lin-qiang123fix CVE-2025-14017,CVE-2025-14524
5ec20d3d创建于 1月17日历史提交
From 39d1976b7f709a516e3243338ebc0443bdd8d56d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 4 Dec 2025 00:14:20 +0100
Subject: [PATCH] ldap: call ldap_init() before setting the options

Closes #19830

Conflict:context adapt for curl-7.78.0
format adapt
ipquad.remote_port => (int)conn->port for curl-7.78.0
Reference:https://github.com/curl/curl/commit/39d1976b7f709a516e3243338ebc0443bdd8d56d
---
 lib/ldap.c | 47 ++++++++++++++++++++++-------------------------
 1 file changed, 22 insertions(+), 25 deletions(-)

--- curl/lib/ldap.c	2021-07-19 15:19:57.000000000 +0800
+++ curl-patched/lib/ldap.c	2026-01-16 11:13:52.993185400 +0800
@@ -333,16 +333,29 @@
     passwd = conn->passwd;
   }
 
+#ifdef USE_WIN32_LDAP
+  if(ldap_ssl)
+    server = ldap_sslinit(host, (int)conn->port, 1);
+  else
+#else
+    server = ldap_init(host, (int)conn->port);
+#endif
+  if(!server) {
+    failf(data, "LDAP: cannot setup connect to %s:%ld",
+          conn->host.dispname, conn->port);
+    result = CURLE_COULDNT_CONNECT;
+    goto quit;
+  }
+
 #ifdef LDAP_OPT_NETWORK_TIMEOUT
-  ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
+  ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
 #endif
-  ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
+  ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
 
   if(ldap_ssl) {
 #ifdef HAVE_LDAP_SSL
 #ifdef USE_WIN32_LDAP
     /* Win32 LDAP SDK doesn't support insecure mode without CA! */
-    server = ldap_sslinit(host, (int)conn->port, 1);
     ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
 #else
     int ldap_option;
@@ -410,7 +423,7 @@
         goto quit;
       }
       infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca);
-      rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
+      rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
       if(rc != LDAP_SUCCESS) {
         failf(data, "LDAP local: ERROR setting PEM CA cert: %s",
                 ldap_err2string(rc));
@@ -422,20 +435,13 @@
     else
       ldap_option = LDAP_OPT_X_TLS_NEVER;
 
-    rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
+    rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
     if(rc != LDAP_SUCCESS) {
       failf(data, "LDAP local: ERROR setting cert verify mode: %s",
               ldap_err2string(rc));
       result = CURLE_SSL_CERTPROBLEM;
       goto quit;
     }
-    server = ldap_init(host, (int)conn->port);
-    if(!server) {
-      failf(data, "LDAP local: Cannot connect to %s:%ld",
-            conn->host.dispname, conn->port);
-      result = CURLE_COULDNT_CONNECT;
-      goto quit;
-    }
     ldap_option = LDAP_OPT_X_TLS_HARD;
     rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option);
     if(rc != LDAP_SUCCESS) {
@@ -464,15 +470,7 @@
 #endif
 #endif /* CURL_LDAP_USE_SSL */
   }
-  else {
-    server = ldap_init(host, (int)conn->port);
-    if(!server) {
-      failf(data, "LDAP local: Cannot connect to %s:%ld",
-            conn->host.dispname, conn->port);
-      result = CURLE_COULDNT_CONNECT;
-      goto quit;
-    }
-  }
+
 #ifdef USE_WIN32_LDAP
   ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
   rc = ldap_win_bind(data, server, user, passwd);