[Fedora-directory-commits] ldapserver/ldap/servers/plugins/acl aclanom.c, 1.6, 1.7 acllas.c, 1.9, 1.10

Richard Allen Megginson (rmeggins) fedora-directory-commits at redhat.com
Fri Oct 19 15:36:03 UTC 2007 

Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/acl
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21558/ldapserver/ldap/servers/plugins/acl

Modified Files:
	aclanom.c acllas.c 
Log Message:
Resolves: bug 297221
Description: rhds71 Malformed Dynamic Authorization Group makes Directory Server Crash
Reviewed by: supplemental
Fix Description: In some cases, it is ok if the filter is NULL.  So just allow NULL in those cases.  slapi_str2filter must take either NULL or a writable string, so make sure we pass those in correctly.



Index: aclanom.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/acl/aclanom.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- aclanom.c	10 Nov 2006 23:44:49 -0000	1.6
+++ aclanom.c	19 Oct 2007 15:36:01 -0000	1.7
@@ -238,8 +238,16 @@
 		}
 
 		a_profile->anom_targetinfo[a_numacl].anom_filter =  NULL;
-		if ( aci->targetFilterStr )
+		if ( aci->targetFilterStr ) {
 			a_profile->anom_targetinfo[a_numacl].anom_filter =  slapi_str2filter ( aci->targetFilterStr );
+			if (NULL == a_profile->anom_targetinfo[a_numacl].anom_filter) {
+				const char	*dn = slapi_sdn_get_dn ( aci->aci_sdn );
+				slapi_log_error(SLAPI_LOG_FATAL, plugin_name,
+								"Error: invalid filter [%s] in anonymous aci in entry [%s]\n",
+								aci->targetFilterStr, dn);
+				goto cleanup;
+			}
+		}				
 
 		i = 0;
 		srcattrArray = aci->targetAttr;


Index: acllas.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/acl/acllas.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- acllas.c	18 Oct 2007 22:25:13 -0000	1.9
+++ acllas.c	19 Oct 2007 15:36:01 -0000	1.10
@@ -3027,7 +3027,7 @@
 	/* Convert the filter string */
 	f = slapi_str2filter ( ludp->lud_filter );
 
-	if (f == NULL) { /* bogus filter */
+	if (ludp->lud_filter && (f == NULL)) { /* bogus filter */
 		slapi_log_error(SLAPI_LOG_FATAL, plugin_name,
 						"DS_LASUserAttrEval: The member URL search filter in entry [%s] is not valid: [%s]\n",
 						n_clientdn, ludp->lud_filter);
@@ -3036,8 +3036,8 @@
     }
 
 	rc = ACL_TRUE;
-	if (0 != slapi_vattr_filter_test ( aclpb->aclpb_pblock, 
-				aclpb->aclpb_client_entry, f, 0 /* no acces chk */ ))
+	if (f && (0 != slapi_vattr_filter_test ( aclpb->aclpb_pblock, 
+				aclpb->aclpb_client_entry, f, 0 /* no acces chk */ )))
 		rc = ACL_FALSE;
 
 	ldap_free_urldesc( ludp );
@@ -3843,6 +3843,8 @@
 	int rc = ACL_FALSE;
 	Slapi_Filter *f = NULL;							
 
+	PR_ASSERT(str);
+
 	if ((f = slapi_str2filter(str)) == NULL) {
 		slapi_log_error(SLAPI_LOG_FATAL, plugin_name,
         	"Warning: Bad targetfilter(%s) in aci: does not match\n", str);

More information about the Fedora-directory-commits mailing list