ITS#9251 make max filter depth configurable

doc/man/man5/slapd-config.5

@@ -689,6 +689,10 @@ This level should usually also be included when using other loglevels, to
 help analyze the logs.
 .RE
 .TP
+.B olcMaxFilterDepth: <integer>
+Specify the maximum depth of nested filters in search requests.
+The default is 1000.
+.TP
 .B olcPasswordCryptSaltFormat: <format>
 Specify the format of the salt passed to
 .BR crypt (3)

doc/man/man5/slapd.conf.5

@@ -743,6 +743,10 @@ This level should usually also be included when using other loglevels, to
 help analyze the logs.
 .RE
 .TP
+.B maxfilterdepth <integer>
+Specify the maximum depth of nested filters in search requests.
+The default is 1000.
+.TP
 .B moduleload <filename>
 Specify the name of a dynamically loadable module to load. The filename
 may be an absolute path name or a simple filename. Non-absolute names

servers/slapd/bconfig.c

@@ -480,6 +480,10 @@ static ConfigTable config_back_cf_table[] = {
 		&config_generic, "( OLcfgDbAt:0.6 NAME 'olcMaxDerefDepth' "
 			"EQUALITY integerMatch "
 			"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
+	{ "maxFilterDepth", "depth", 2, 2, 0, ARG_INT,
+		&slap_max_filter_depth, "( OLcfgGlAt:101 NAME 'olcMaxFilterDepth' "
+			"EQUALITY integerMatch "
+			"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
 	{ "multiprovider", "on|off", 2, 2, 0, ARG_DB|ARG_ON_OFF|ARG_MAGIC|CFG_MULTIPROVIDER,
 		&config_generic, "( OLcfgDbAt:0.16 NAME ( 'olcMultiProvider' 'olcMirrorMode' ) "
 			"EQUALITY booleanMatch "
@@ -952,6 +956,7 @@ static ConfigOCs cf_ocs[] = {
 		 "olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexHash64 $ "
 		 "olcIndexIntLen $ "
 		 "olcListenerThreads $ olcLocalSSF $ olcLogFile $ olcLogLevel $ "
+		 "olcMaxFilterDepth $ "
 		 "olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ "
 		 "olcPluginLogFile $ olcReadOnly $ olcReferral $ "
 		 "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ "

servers/slapd/config.c

@@ -84,6 +84,8 @@ ber_len_t sockbuf_max_incoming_auth= SLAP_SB_MAX_INCOMING_AUTH;
 int	slap_conn_max_pending = SLAP_CONN_MAX_PENDING_DEFAULT;
 int	slap_conn_max_pending_auth = SLAP_CONN_MAX_PENDING_AUTH;
 
+int	slap_max_filter_depth = SLAP_MAX_FILTER_DEPTH_DEFAULT;
+
 char   *slapd_pid_file  = NULL;
 char   *slapd_args_file = NULL;
 

servers/slapd/filter.c

@@ -37,10 +37,6 @@
 const Filter *slap_filter_objectClass_pres;
 const struct berval *slap_filterstr_objectClass_pres;
 
-#ifndef SLAPD_MAX_FILTER_DEPTH
-#define SLAPD_MAX_FILTER_DEPTH	5000
-#endif
-
 static int	get_filter_list(
 	Operation *op,
 	BerElement *ber,
@@ -132,7 +128,7 @@ get_filter0(
 	 *
 	 */
 
-	if( depth > SLAPD_MAX_FILTER_DEPTH ) {
+	if( depth > slap_max_filter_depth ) {
 		*text = "filter nested too deeply";
 		return SLAPD_DISCONNECT;
 	}

servers/slapd/proto-slap.h

@@ -2067,6 +2067,7 @@ LDAP_SLAPD_V (ber_len_t) sockbuf_max_incoming;
 LDAP_SLAPD_V (ber_len_t) sockbuf_max_incoming_auth;
 LDAP_SLAPD_V (int)		slap_conn_max_pending;
 LDAP_SLAPD_V (int)		slap_conn_max_pending_auth;
+LDAP_SLAPD_V (int)		slap_max_filter_depth;
 
 LDAP_SLAPD_V (slap_mask_t)	global_allows;
 LDAP_SLAPD_V (slap_mask_t)	global_disallows;

servers/slapd/slap.h

@@ -143,6 +143,7 @@ LDAP_BEGIN_DECL
 
 #define SLAP_CONN_MAX_PENDING_DEFAULT	100
 #define SLAP_CONN_MAX_PENDING_AUTH	1000
+#define SLAP_MAX_FILTER_DEPTH_DEFAULT	1000
 
 #define SLAP_TEXT_BUFLEN (256)