[Freeipa-devel] [PATCH 0129] Harden update-policy processing

Adam Tkac atkac at redhat.com
Mon Mar 25 15:15:54 UTC 2013 

On Mon, Mar 25, 2013 at 10:56:05AM +0100, Petr Spacek wrote:
> Hello,
> 
> Harden update-policy processing.
> 
> https://fedorahosted.org/bind-dyndb-ldap/ticket/111
> 
> This patch should prevent crashes similar to 'zonesub' problem
> described in the ticket #111.

Ack

> From 05d73392dc6c0f9f6f7a9e570e4382ccb3c66022 Mon Sep 17 00:00:00 2001
> From: Petr Spacek <pspacek at redhat.com>
> Date: Mon, 25 Mar 2013 10:52:50 +0100
> Subject: [PATCH] Harden update-policy processing.
> 
> https://fedorahosted.org/bind-dyndb-ldap/ticket/111
> 
> Signed-off-by: Petr Spacek <pspacek at redhat.com>
> ---
>  src/acl.c | 41 ++++++++++++++++++++++++++++-------------
>  1 file changed, 28 insertions(+), 13 deletions(-)
> 
> diff --git a/src/acl.c b/src/acl.c
> index ed3bdebcc027f3f5b7b2e9e084cf328ed4f6b1dd..3b5de00f8a40cbc1a876ea2b74e9c2093e48774c 100644
> --- a/src/acl.c
> +++ b/src/acl.c
> @@ -178,32 +178,48 @@ parse(cfg_parser_t *parser, const char *string, cfg_type_t **type,
>  #define MATCH(string_rep, return_val)					\
>  	do {								\
>  		if (!strcasecmp(str, string_rep)) {			\
> -			return return_val;				\
> +			*value = return_val;				\
> +			return ISC_R_SUCCESS;				\
>  		}							\
>  	} while (0)
>  
> -static isc_boolean_t
> -get_mode(const cfg_obj_t *obj)
> +static isc_result_t
> +get_mode(const cfg_obj_t *obj, isc_boolean_t *value)
>  {
>  	const char *str;
>  
> +	if (!cfg_obj_istuple(obj)) {
> +		log_bug("tuple is expected");
> +		return ISC_R_UNEXPECTED;
> +	}
>  	obj = cfg_tuple_get(obj, "mode");
> +	if (!cfg_obj_isstring(obj)) {
> +		log_bug("mode is not defined");
> +		return ISC_R_UNEXPECTED;
> +	}
>  	str = cfg_obj_asstring(obj);
>  
>  	MATCH("grant", ISC_TRUE);
>  	MATCH("deny", ISC_FALSE);
>  
> -	INSIST(0);
> -	/* Not reached. */
> -	return ISC_FALSE;
> +	log_bug("unsupported ACL mode '%s'", str);
> +	return ISC_R_NOTIMPLEMENTED;
>  }
>  
> -static unsigned int
> -get_match_type(const cfg_obj_t *obj)
> +static isc_result_t
> +get_match_type(const cfg_obj_t *obj, unsigned int *value)
>  {
>  	const char *str;
>  
> +	if (!cfg_obj_istuple(obj)) {
> +		log_bug("tuple is expected");
> +		return ISC_R_UNEXPECTED;
> +	}
>  	obj = cfg_tuple_get(obj, "matchtype");
> +	if (!cfg_obj_isstring(obj)) {
> +		log_bug("matchtype is not defined");
> +		return ISC_R_UNEXPECTED;
> +	}
>  	str = cfg_obj_asstring(obj);
>  
>  	MATCH("name", DNS_SSUMATCHTYPE_NAME);
> @@ -232,9 +248,8 @@ get_match_type(const cfg_obj_t *obj)
>  	MATCH("6to4-self", DNS_SSUMATCHTYPE_6TO4SELF);
>  #endif
>  
> -	INSIST(0);
> -	/* Not reached. */
> -	return DNS_SSUMATCHTYPE_NAME;
> +	log_bug("unsupported match type '%s'", str);
> +	return ISC_R_NOTIMPLEMENTED;
>  }
>  
>  static isc_result_t
> @@ -422,8 +437,8 @@ acl_configure_zone_ssutable(const char *policy_str, dns_zone_t *zone)
>  		types = NULL;
>  
>  		stmt = cfg_listelt_value(el);
> -		grant = get_mode(stmt);
> -		match_type = get_match_type(stmt);
> +		CHECK(get_mode(stmt, &grant));
> +		CHECK(get_match_type(stmt, &match_type));
>  
>  		CHECK(get_fixed_name(stmt, "identity", &fident));
>  
> -- 
> 1.7.11.7
> 


-- 
Adam Tkac, Red Hat, Inc.

More information about the Freeipa-devel mailing list