[Fedora-directory-commits] ldapserver/ldap/servers/slapd libglobs.c, 1.30, 1.31 proto-slap.h, 1.42, 1.43 sasl_io.c, 1.15, 1.16 slap.h, 1.39, 1.40

Nathan Kinder nkinder at fedoraproject.org
Tue Nov 25 19:20:29 UTC 2008


Author: nkinder

Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13745/ldap/servers/slapd

Modified Files:
	libglobs.c proto-slap.h sasl_io.c slap.h 
Log Message:
Resolves: 387851
Summary: Add configuration parameter to limit maximum allowed incoming SASL IO packet size.



Index: libglobs.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- libglobs.c	13 Nov 2008 21:56:29 -0000	1.30
+++ libglobs.c	25 Nov 2008 19:20:26 -0000	1.31
@@ -525,6 +525,9 @@
 	{CONFIG_MAXBERSIZE_ATTRIBUTE, config_set_maxbersize,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.maxbersize, CONFIG_INT, NULL},
+	{CONFIG_MAXSASLIOSIZE_ATTRIBUTE, config_set_maxsasliosize,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.maxsasliosize, CONFIG_INT, NULL},
 	{CONFIG_VERSIONSTRING_ATTRIBUTE, config_set_versionstring,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.versionstring, CONFIG_STRING, NULL},
@@ -4488,6 +4491,42 @@
 }
 
 int
+config_set_maxsasliosize( const char *attrname, char *value, char *errorbuf, int apply )
+{
+  int retVal =  LDAP_SUCCESS;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
+        return LDAP_OPERATIONS_ERROR;
+  }
+
+  if ( !apply ) {
+        return retVal;
+  }
+
+  CFG_LOCK_WRITE(slapdFrontendConfig);
+
+  slapdFrontendConfig->maxsasliosize = atol(value);
+
+  CFG_UNLOCK_WRITE(slapdFrontendConfig);
+  return retVal;
+}
+
+size_t
+config_get_maxsasliosize()
+{
+  size_t maxsasliosize;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  maxsasliosize = slapdFrontendConfig->maxsasliosize;
+  if (maxsasliosize == 0) {
+    maxsasliosize = 2 * 1024 * 1024; /* Default: 2Mb */
+  }
+
+  return maxsasliosize;
+}
+
+int
 config_set_max_filter_nest_level( const char *attrname, char *value,
 		char *errorbuf, int apply )
 {


Index: proto-slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/proto-slap.h,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- proto-slap.h	7 Nov 2008 22:32:57 -0000	1.42
+++ proto-slap.h	25 Nov 2008 19:20:27 -0000	1.43
@@ -320,6 +320,7 @@
 int config_set_referral_mode(const char *attrname, char *url, char *errorbuf, int apply);
 int config_set_conntablesize(const char *attrname, char *url, char *errorbuf, int apply);
 int config_set_maxbersize(const char *attrname,  char *value, char *errorbuf, int apply );
+int config_set_maxsasliosize(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_versionstring(const char *attrname,  char *versionstring, char *errorbuf, int apply );
 int config_set_enquote_sup_oc(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_basedn( const char *attrname, char *value, char *errorbuf, int apply );
@@ -442,6 +443,7 @@
 int config_get_conntablesize(void);
 int config_check_referral_mode(void);
 ber_len_t config_get_maxbersize();
+size_t config_get_maxsasliosize();
 char *config_get_versionstring();
 char *config_get_buildnum(void);
 int config_get_enquote_sup_oc();


Index: sasl_io.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/sasl_io.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- sasl_io.c	17 Oct 2008 22:12:47 -0000	1.15
+++ sasl_io.c	25 Nov 2008 19:20:27 -0000	1.16
@@ -215,6 +215,15 @@
 
         LDAPDebug( LDAP_DEBUG_CONNS,
             "read sasl packet length %ld on connection %" PRIu64 "\n", packet_length, c->c_connid, 0 );
+
+        if (packet_length > config_get_maxsasliosize()) {
+            LDAPDebug( LDAP_DEBUG_ANY,
+                "SASL encrypted packet length exceeds maximum allowed limit (length=%ld, limit=%ld)."
+                "  Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.\n",
+                 packet_length, config_get_maxsasliosize(), 0);
+            return -1;
+        }
+
         sasl_io_resize_encrypted_buffer(c->c_sasl_io_private, packet_length);
         /* Cyrus SASL implementation expects to have the length at the first 
            4 bytes */


Index: slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- slap.h	7 Nov 2008 22:32:57 -0000	1.39
+++ slap.h	25 Nov 2008 19:20:27 -0000	1.40
@@ -1764,6 +1764,7 @@
 #define CONFIG_REFERRAL_MODE_ATTRIBUTE		"nsslapd-referralmode"
 #define CONFIG_ATTRIBUTE_NAME_EXCEPTION_ATTRIBUTE "nsslapd-attribute-name-exceptions"
 #define CONFIG_MAXBERSIZE_ATTRIBUTE "nsslapd-maxbersize"
+#define CONFIG_MAXSASLIOSIZE_ATTRIBUTE "nsslapd-maxsasliosize"
 #define CONFIG_MAX_FILTER_NEST_LEVEL_ATTRIBUTE "nsslapd-max-filter-nest-level"
 #define CONFIG_VERSIONSTRING_ATTRIBUTE "nsslapd-versionstring"
 #define CONFIG_ENQUOTE_SUP_OC_ATTRIBUTE "nsslapd-enquote-sup-oc"
@@ -1981,8 +1982,9 @@
   char *ldapi_gidnumber_type;   /* type that contains gid number */
   char *ldapi_search_base_dn;   /* base dn to search for mapped entries */
   char *ldapi_auto_dn_suffix;   /* suffix to be appended to auto gen DNs */
-  int slapi_counters;            /* switch to turn slapi_counters on/off */
-  int allow_unauth_binds;        /* switch to enable/disable unauthenticated binds */
+  int slapi_counters;           /* switch to turn slapi_counters on/off */
+  int allow_unauth_binds;       /* switch to enable/disable unauthenticated binds */
+  size_t maxsasliosize;         /* limit incoming SASL IO packet size */
 #ifndef _WIN32
   struct passwd *localuserinfo; /* userinfo of localuser */
 #endif /* _WIN32 */




More information about the Fedora-directory-commits mailing list