From 212a5374cb81c7bff00f56a7a569b12e81eb4083 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Tue, 2 Sep 2008 22:23:30 +0000
Subject: [PATCH] ITS#5609

---
 CHANGES                             |  1 +
 doc/man/man5/slapo-constraint.5     |  3 +--
 servers/slapd/overlays/constraint.c | 11 ++++++++++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1a7f00a1f2..4b86a70969 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,7 @@
 OpenLDAP 2.4 Change Log
 
 OpenLDAP 2.4.12 Engineering
+	Fixed slapo-constraint string termination (ITS#5609)
 
 OpenLDAP 2.4.11 Release (2008/07/16)
 	Fixed liblber ber_get_next length decoding (ITS#5580)
diff --git a/doc/man/man5/slapo-constraint.5 b/doc/man/man5/slapo-constraint.5
index 1a60c0e244..2c6a059215 100644
--- a/doc/man/man5/slapo-constraint.5
+++ b/doc/man/man5/slapo-constraint.5
@@ -72,8 +72,7 @@ constraint_attribute title uri
 A specification like the above would reject any
 .B mail
 attribute which did not look like
-.B
-<alpha-numeric string>@mydomain.com
+.BR "<alpha-numeric string>@mydomain.com" .
 It would also reject any
 .B title
 attribute whose values were not listed in the
diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
index bb4d9504b1..09fae8e020 100644
--- a/servers/slapd/overlays/constraint.c
+++ b/servers/slapd/overlays/constraint.c
@@ -282,8 +282,16 @@ constraint_cf_gen( ConfigArgs *c )
 				if (ap.lud->lud_dn == NULL)
 					ap.lud->lud_dn = ch_strdup("");
 
-				if (ap.lud->lud_filter == NULL)
+				if (ap.lud->lud_filter == NULL) {
 					ap.lud->lud_filter = ch_strdup("objectClass=*");
+				} else if ( ap.lud->lud_filter[0] == '(' ) {
+					ber_len_t len = strlen( ap.lud->lud_filter );
+					if ( ap.lud->lud_filter[len - 1] != ')' ) {
+							return( ARG_BAD_CONF );
+					}
+					AC_MEMCPY( &ap.lud->lud_filter[0], &ap.lud->lud_filter[1], len - 2 );
+					ap.lud->lud_filter[len - 2] = '\0';
+				}
 
 				ber_str2bv( c->argv[3], 0, 1, &ap.val );
 			} else {
@@ -427,6 +435,7 @@ constraint_violation( constraint *c, struct berval *bv, Operation *op, SlapReply
 		}
 		*ptr++ = ')';
 		*ptr++ = ')';
+		*ptr++ = '\0';
 
 		Debug(LDAP_DEBUG_TRACE, 
 			"==> constraint_violation uri filter = %s\n",
-- 
GitLab