1
0
forked from jengelh/openldap2
Ralf Haferkamp 2010-07-23 07:28:16 +00:00 committed by Git OBS Bridge
parent 55aa20cad2
commit 4af766a1af
6 changed files with 166 additions and 2 deletions

View File

@ -0,0 +1,38 @@
From e32aa64d19840a3b76da532d200fa1cb733e0672 Mon Sep 17 00:00:00 2001
From: ralf <ralf>
Date: Thu, 20 May 2010 15:08:28 +0000
Subject: Syncprov might lose deletes (ITS#6555)
During the refresh phase the sync filter needs to be adjusted (skipping
the "(entrycsn>=cookie)" part that was inserted) when checking whether a
change needs to be replicated, otherwise we lose DELETES that happen during
the refresh phase.
bnc#606294
1 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
index 675568e..030edf5 100644
--- a/servers/slapd/overlays/syncprov.c
+++ b/servers/slapd/overlays/syncprov.c
@@ -1301,7 +1301,15 @@ syncprov_matchops( Operation *op, opcookie *opc, int saveit )
op2.o_hdr = &oh;
op2.o_extra = op->o_extra;
op2.o_callback = NULL;
- rc = test_filter( &op2, e, ss->s_op->ors_filter );
+ ldap_pvt_thread_mutex_lock( &ss->s_mutex );
+ if (ss->s_flags & PS_FIX_FILTER) {
+ /* Skip the AND/GE clause that we stuck on in front. We
+ would lose deletes/mods that happen during the refresh
+ phase otherwise (ITS#6555) */
+ op2.ors_filter = ss->s_op->ors_filter->f_and->f_next;
+ }
+ ldap_pvt_thread_mutex_unlock( &ss->s_mutex );
+ rc = test_filter( &op2, e, op2.ors_filter );
}
Debug( LDAP_DEBUG_TRACE, "syncprov_matchops: sid %03x fscope %d rc %d\n",
--
1.7.0.3

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com
- LDAP clients could crash the server by submitting a specially
crafted LDAP ModRDN operation. (bnc#612430, ITS#6570)
- Delete Operations happening during the "Refresh" phase of
"refreshAndPersist" replication failed to replicate under
certain circumstances (bnc#606294, ITS#6555)
-------------------------------------------------------------------
Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com

View File

@ -28,7 +28,7 @@ BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-de
BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel
%endif
Version: 2.4.21
Release: 5
Release: 6
Url: http://www.openldap.org
License: BSD3c(or similar) ; openldap 2.8
%if "%{name}" == "openldap2"
@ -60,6 +60,8 @@ Patch5: slapd-back-hdb-fortify.dif
Patch6: libldap-gethostbyname_r.dif
Patch7: pie-compile.dif
Patch11: slapd-bconfig-del-db.dif
Patch12: Syncprov-might-lose-deletes-ITS-6555.dif
Patch13: slapd-modrdn-crash-ITS-6570.dif
Patch100: openldap-2.3.37.dif
Patch200: slapd_getaddrinfo_dupl.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -180,6 +182,8 @@ Authors:
%patch7
%endif
%patch11
%patch12 -p1
%patch13 -p1
%if %suse_version == 1100
%patch200 -p1
%endif

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com
- LDAP clients could crash the server by submitting a specially
crafted LDAP ModRDN operation. (bnc#612430, ITS#6570)
- Delete Operations happening during the "Refresh" phase of
"refreshAndPersist" replication failed to replicate under
certain circumstances (bnc#606294, ITS#6555)
-------------------------------------------------------------------
Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com

View File

@ -28,7 +28,7 @@ BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-de
BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel
%endif
Version: 2.4.21
Release: 5
Release: 6
Url: http://www.openldap.org
License: BSD3c(or similar) ; openldap 2.8
%if "%{name}" == "openldap2"
@ -60,6 +60,8 @@ Patch5: slapd-back-hdb-fortify.dif
Patch6: libldap-gethostbyname_r.dif
Patch7: pie-compile.dif
Patch11: slapd-bconfig-del-db.dif
Patch12: Syncprov-might-lose-deletes-ITS-6555.dif
Patch13: slapd-modrdn-crash-ITS-6570.dif
Patch100: openldap-2.3.37.dif
Patch200: slapd_getaddrinfo_dupl.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -180,6 +182,8 @@ Authors:
%patch7
%endif
%patch11
%patch12 -p1
%patch13 -p1
%if %suse_version == 1100
%patch200 -p1
%endif

View File

@ -0,0 +1,100 @@
From 6e229f5b94be41c4b9372914ae9bff90ccd81014 Mon Sep 17 00:00:00 2001
From: hyc <hyc>
Date: Sun, 6 Jun 2010 22:02:32 +0000
Subject: slapd modrdn crash (ITS#6570)
part #1 reject RDNs with binary BER values
part #2 reject RDNs with empty values
Unauthenticated LDAP clients could crash the server by submitting a
specially crafted LDAP ModRDN operatoin.
Part #1:
OpenLDAP crashes with segfault during the processing of a modrdn call with
maliciously formed destination rdn string. No authentication is required to
trigger this vulnerability.
Part #2:
OpenLDAP crashes at a null pointer dereference during the processing of modrdn
call with maliciously formed destination rdn string. No authentication is
required to trigger this vulnerability.
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c
index 3534e7f..75d2204 100644
--- a/servers/slapd/dn.c
+++ b/servers/slapd/dn.c
@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx )
ava->la_attr = ad->ad_cname;
if( ava->la_flags & LDAP_AVA_BINARY ) {
- if( ava->la_value.bv_len == 0 ) {
- /* BER encoding is empty */
- return LDAP_INVALID_SYNTAX;
- }
+ /* AVA is binary encoded, not supported */
+ return LDAP_INVALID_SYNTAX;
/* Do not allow X-ORDERED 'VALUES' naming attributes */
} else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
return LDAP_INVALID_SYNTAX;
- /* AVA is binary encoded, don't muck with it */
} else if( flags & SLAP_LDAPDN_PRETTY ) {
transf = ad->ad_type->sat_syntax->ssyn_pretty;
if( !transf ) {
@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx )
ava->la_value = bv;
ava->la_flags |= LDAP_AVA_FREE_VALUE;
}
+ /* reject empty values */
+ if (!ava->la_value.bv_len) {
+ return LDAP_INVALID_SYNTAX;
+ }
}
rc = LDAP_SUCCESS;
diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c
index e386ef9..e143a7b 100644
--- a/servers/slapd/modrdn.c
+++ b/servers/slapd/modrdn.c
@@ -445,12 +445,19 @@ slap_modrdn2mods(
mod_tmp->sml_values[1].bv_val = NULL;
if( desc->ad_type->sat_equality->smr_normalize) {
mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
- (void) (*desc->ad_type->sat_equality->smr_normalize)(
+ rs->sr_err = desc->ad_type->sat_equality->smr_normalize(
SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
desc->ad_type->sat_syntax,
desc->ad_type->sat_equality,
&mod_tmp->sml_values[0],
&mod_tmp->sml_nvalues[0], NULL );
+ if (rs->sr_err != LDAP_SUCCESS) {
+ ch_free(mod_tmp->sml_nvalues);
+ ch_free(mod_tmp->sml_values[0].bv_val);
+ ch_free(mod_tmp->sml_values);
+ ch_free(mod_tmp);
+ goto done;
+ }
mod_tmp->sml_nvalues[1].bv_val = NULL;
} else {
mod_tmp->sml_nvalues = NULL;
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 68e6d28..d2f4708 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -1732,8 +1732,9 @@ UTF8StringNormalize(
? LDAP_UTF8_APPROX : 0;
val = UTF8bvnormalize( val, &tmp, flags, ctx );
+ /* out of memory or syntax error, the former is unlikely */
if( val == NULL ) {
- return LDAP_OTHER;
+ return LDAP_INVALID_SYNTAX;
}
/* collapse spaces (in place) */
--
1.7.0.3