[Freeipa-devel] [PATCH 0030] Prevent doubled LDAP queries during nonexistent DNS name lookup
Adam Tkac
atkac at redhat.com
Fri Jul 13 13:47:15 UTC 2012
On Wed, Jul 11, 2012 at 03:54:07PM +0200, Petr Spacek wrote:
> Hello,
>
> this patch fixes bug introduced by CVE-2012-2134 fix (commit
> cd33194c5a61e98cba53212458cce02b849077ba).
>
> From cd33194c5a61e98cba53212458cce02b849077ba up to now each query
> for nonexistent DNS name results to two (exactly same) LDAP queries.
Ack, please push it to master.
Regards, Adam
> From 965a2f9443fcec2b4e32acf726aaa5a6de5b91c3 Mon Sep 17 00:00:00 2001
> From: Petr Spacek <pspacek at redhat.com>
> Date: Wed, 11 Jul 2012 12:10:16 +0200
> Subject: [PATCH] Prevent doubled LDAP queries during nonexistent DNS name
> lookups. This problem was introduced in commit
> cd33194c5a61e98cba53212458cce02b849077ba (CVE-2012-2134
> fix).
>
> Signed-off-by: Petr Spacek <pspacek at redhat.com>
> ---
> src/ldap_helper.c | 7 ++++++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/src/ldap_helper.c b/src/ldap_helper.c
> index 7f0a6f4b37171a6fa4db79cd32fdd8bc62288e0f..b06036f89fdf088e2d3c3ef964165d23c2d20172 100644
> --- a/src/ldap_helper.c
> +++ b/src/ldap_helper.c
> @@ -1618,6 +1618,7 @@ ldap_query(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn,
> isc_result_t result;
> int cnt;
> int ret;
> + int ldap_err_code;
> int once = 0;
>
> REQUIRE(ldap_conn != NULL);
> @@ -1661,8 +1662,12 @@ retry:
> return ISC_R_SUCCESS;
> }
>
> + ret = ldap_get_option(ldap_conn->handle, LDAP_OPT_RESULT_CODE,
> + (void *)&ldap_err_code);
> + if (ret == LDAP_OPT_SUCCESS && ldap_err_code == LDAP_NO_SUCH_OBJECT)
> + return ISC_R_NOTFOUND;
> /* some error happened during ldap_search, try to recover */
> - if (!once) {
> + else if (!once) {
> once++;
> result = handle_connection_error(ldap_inst, ldap_conn,
> ISC_FALSE);
> --
> 1.7.7.6
>
--
Adam Tkac, Red Hat, Inc.
More information about the Freeipa-devel
mailing list