From f4f0cbae196f2e81829a6ae54e8afed6f957a390 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Wed, 15 Nov 2023 07:17:23 +0100
Subject: [PATCH] Fix segfault in internal function _ldap.str2dn

`l_ldap_str2dn` crashes with a NULL pointer deref when an empty string
or None is passed in. `ldap_bv2dn` returns success with NULL dn for an
empty berval struct. In debug builds, `ldap_bv2dn` fails with an
assertion error.

The function now returns an empty list for an empty input.

Note: The public API of python-ldap is not affected. The wrapper
`ldap.dn.str2dn` does not pass an empty string to the low-level
function.

Fixes: https://github.com/python-ldap/python-ldap/issues/549
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
 Modules/functions.c | 5 +++++
 Tests/t_cext.py     | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/Modules/functions.c b/Modules/functions.c
index f7d9cf37..72d83513 100644
--- a/Modules/functions.c
+++ b/Modules/functions.c
@@ -100,6 +100,11 @@ l_ldap_str2dn(PyObject *unused, PyObject *args)
      */
     if (!PyArg_ParseTuple(args, "z#|i:str2dn", &str.bv_val, &str_len, &flags))
         return NULL;
+
+    if (str_len == 0) {
+        // GH-549: ldap_bv2dn() does not support empty string.
+        return PyList_New(0);
+    }
     str.bv_len = (ber_len_t) str_len;
 
     res = ldap_bv2dn(&str, &dn, flags);
diff --git a/Tests/t_cext.py b/Tests/t_cext.py
index 33fbf29a..9df16dc8 100644
--- a/Tests/t_cext.py
+++ b/Tests/t_cext.py
@@ -955,6 +955,12 @@ def test_require_san(self):
             _ldap.OPT_X_TLS_TRY
         )
 
+    def test_str2dn(self):
+        self.assertEqual(_ldap.str2dn(""), [])
+        self.assertEqual(_ldap.str2dn(None), [])
+        with self.assertRaises(TypeError):
+            _ldap.str2dn(object)
+
 
 if __name__ == '__main__':
     unittest.main()