Fixed SASL interactive free bug (ITS#2423)

Fixed liblber multi-value decode bug (ITS#2458) Fixed liblber over read bug (ITS#2465)

Fixed SASL interactive free bug (ITS#2423)
Fixed liblber multi-value decode bug (ITS#2458) Fixed liblber over read bug (ITS#2465)
65f273ba · Kurt Zeilenga · 299a5230 · 65f273ba · 65f273ba · 65f273ba
Commit 65f273ba authored Apr 26, 2003 by Kurt Zeilenga
--- a/CHANGES
+++ b/CHANGES
@@ -8,7 +8,10 @@ OpenLDAP 2.1.18 Engineering
 	Fixed slapd ACL group DN crash (ITS#2467)
 	Fixed slapd substring normalization bug (ITS#2468)
 	Fixed back-bdb search filter empty value bug (ITS#2453)
-	Fixed ldappasswd -y support
+	Fixed SASL interactive free bug (ITS#2423)
+	Fixed liblber multi-value decode bug (ITS#2458)
+	Fixed liblber over read bug (ITS#2465)
+	Fixed ldappasswd -y support (ITS#2441)

 OpenLDAP 2.1.17 Release
 	Fixed libldap_r thread pool context bug (ITS#2404)

--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -670,6 +670,7 @@ tool_bind( LDAP *ld )
 			sasl_mech, NULL, NULL,
 			sasl_flags, lutil_sasl_interact, defaults );

+		lutil_sasl_freedefs( defaults );
 		if( rc != LDAP_SUCCESS ) {
 			ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
 			exit( EXIT_FAILURE );

--- a/libraries/liblber/decode.c
+++ b/libraries/liblber/decode.c
@@ -324,6 +324,7 @@ ber_get_stringbvl( bgbvr *b, ber_len_t *rlen )
 		{
 			if (ber_skip_tag( b->ber, &len ) == LBER_DEFAULT) break;
 			b->ber->ber_ptr += len;
+			b->ber->ber_tag = *(unsigned char *)b->ber->ber_ptr;
 		}
 	}


--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -510,13 +510,13 @@ ber_get_next(
 	}

 	while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr <
-		(char *)&ber->ber_len + LENSIZE*2) {
+		(char *)&ber->ber_len + LENSIZE*2 -1) {
 		ber_slen_t sblen;
 		char buf[sizeof(ber->ber_len)-1];
 		ber_len_t tlen = 0;

 		sblen=ber_int_sb_read( sb, ber->ber_rwptr,
-			((char *)&ber->ber_len + LENSIZE*2)-ber->ber_rwptr);
+			((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr);
 		if (sblen<=0) return LBER_DEFAULT;
 		ber->ber_rwptr += sblen;

@@ -527,10 +527,10 @@ ber_get_next(
 			tag = *p++;
 			if ((tag & LBER_BIG_TAG_MASK) == LBER_BIG_TAG_MASK) {
 				ber_len_t i;
-				for (i=1; (char *)p<ber->ber_rwptr; i++,p++) {
+				for (i=1; (char *)p<ber->ber_rwptr; i++) {
 					tag <<= 8;
-					tag |= *p;
-					if (!(*p & LBER_MORE_TAG_MASK))
+					tag |= *p++;
+					if (!(tag & LBER_MORE_TAG_MASK))
 						break;
 					/* Is the tag too big? */
 					if (i == sizeof(ber_tag_t)-1) {
@@ -542,7 +542,6 @@ ber_get_next(
 				if ((char *)p == ber->ber_rwptr) {
 					return LBER_DEFAULT;
 				}
-				p++;
 			}
 			ber->ber_tag = tag;
 			ber->ber_ptr = (char *)p;

--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -529,7 +529,6 @@ ldap_int_sasl_bind(
 	sasl_ssf_t		*ssf = NULL;
 	sasl_conn_t	*ctx;
 	sasl_interact_t *prompts = NULL;
-	const void *promptresult = NULL;
 	unsigned credlen;
 	struct berval ccred;
 	ber_socket_t		sd;
@@ -590,9 +589,6 @@ ldap_int_sasl_bind(
 			&credlen,
 			&mech );

-		/* Cyrus SASL library doesn't initialize the prompt result pointer */
-		if( promptresult == NULL && prompts != NULL ) prompts->result = NULL;
-
 		if( pmech == NULL && mech != NULL ) {
 			pmech = mech;

@@ -608,11 +604,6 @@ ldap_int_sasl_bind(
 			if( !interact ) break;
 			res = (interact)( ld, flags, defaults, prompts );

-			/* keep a pointer to the prompt result so we can free it
-			 * after Cyrus SASL has consumed the prompts.
-			 */
-			promptresult = prompts->result;
-
 			if( res != LDAP_SUCCESS ) break;
 		}
 	} while ( saslrc == SASL_INTERACT );
@@ -688,9 +679,6 @@ ldap_int_sasl_bind(
 				(SASL_CONST char **)&ccred.bv_val,
 				&credlen );

-			/* SASL library doesn't initialize the prompt result pointer */
-			if( promptresult == NULL && prompts != NULL ) prompts->result = NULL;
-
 #ifdef NEW_LOGGING
 				LDAP_LOG ( TRANSPORT, DETAIL1, 
 					"ldap_int_sasl_bind: sasl_client_step: %d\n", saslrc,0,0 );
@@ -703,12 +691,6 @@ ldap_int_sasl_bind(
 				int res;
 				if( !interact ) break;
 				res = (interact)( ld, flags, defaults, prompts );
-
-				/* keep a pointer to the prompt result so we can free it
-				 * after Cyrus SASL has consumed the prompts.
-				 */
-				promptresult = prompts->result;
-
 				if( res != LDAP_SUCCESS ) break;
 			}
 		} while ( saslrc == SASL_INTERACT );
@@ -768,8 +750,6 @@ ldap_int_sasl_bind(
 	}

 done:
-	/* free the last prompt result */
-	LDAP_FREE((void*)promptresult);
 	return rc;
 }


--- a/libraries/liblutil/sasl.c
+++ b/libraries/liblutil/sasl.c
@@ -29,9 +29,27 @@ typedef struct lutil_sasl_defaults_s {
 	char *authcid;
 	char *passwd;
 	char *authzid;
+	char **resps;
+	int nresps;
 } lutilSASLdefaults;


+void
+lutil_sasl_freedefs(
+	void *defaults )
+{
+	lutilSASLdefaults *defs = defaults;
+	
+	if (defs->mech) ber_memfree(defs->mech);
+	if (defs->realm) ber_memfree(defs->realm);
+	if (defs->authcid) ber_memfree(defs->authcid);
+	if (defs->passwd) ber_memfree(defs->passwd);
+	if (defs->authzid) ber_memfree(defs->authzid);
+	if (defs->resps) ldap_charray_free(defs->resps);
+
+	ber_memfree(defs);
+}
+
 void *
 lutil_sasl_defaults(
 	LDAP *ld,
@@ -47,11 +65,11 @@ lutil_sasl_defaults(

 	if( defaults == NULL ) return NULL;

-	defaults->mech = mech;
-	defaults->realm = realm;
-	defaults->authcid = authcid;
-	defaults->passwd = passwd;
-	defaults->authzid = authzid;
+	defaults->mech = mech ? ber_strdup(mech) : NULL;
+	defaults->realm = realm ? ber_strdup(realm) : NULL;
+	defaults->authcid = authcid ? ber_strdup(authcid) : NULL;
+	defaults->passwd = passwd ? ber_strdup(passwd) : NULL;
+	defaults->authzid = authzid ? ber_strdup(authzid) : NULL;

 	if( defaults->mech == NULL ) {
 		ldap_get_option( ld, LDAP_OPT_X_SASL_MECH, &defaults->mech );
@@ -65,6 +83,8 @@ lutil_sasl_defaults(
 	if( defaults->authzid == NULL ) {
 		ldap_get_option( ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid );
 	}
+	defaults->resps = NULL;
+	defaults->nresps = 0;

 	return defaults;
 }
@@ -160,7 +180,8 @@ static int interaction(
 	if( interact->len > 0 ) {
 		/* duplicate */
 		char *p = (char *)interact->result;
-		interact->result = strdup( p );
+		ldap_charray_add(&defaults->resps, interact->result);
+		interact->result = defaults->resps[defaults->nresps++];

 		/* zap */
 		memset( p, '\0', interact->len );
@@ -168,15 +189,8 @@ static int interaction(
 	} else {
 use_default:
 		/* input must be empty */
-		interact->result = strdup( (dflt && *dflt) ? dflt : "" );
-		interact->len = interact->result
-			? strlen( interact->result ) : 0;
-	}
-
-	if( defaults && defaults->passwd && interact->id == SASL_CB_PASS ) {
-		/* zap password after first use */
-		memset( defaults->passwd, '\0', strlen(defaults->passwd) );
-		defaults->passwd = NULL;
+		interact->result = (dflt && *dflt) ? dflt : "";
+		interact->len = strlen( interact->result );
 	}

 	return LDAP_SUCCESS;
@@ -190,12 +204,6 @@ int lutil_sasl_interact(
 {
 	sasl_interact_t *interact = in;

-	if( interact->result ) {
-		/* we have results from a previous interaction */
-		free( (void *)interact->result );
-		interact->result = NULL;
-	}
-
 	if( ld == NULL ) return LDAP_PARAM_ERROR;

 	if( flags == LDAP_SASL_INTERACTIVE ) {