Commit eb581e43 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Fix for:

	SASL regex segmentation faults with group based acls (ITS#1978)
based, in part, by patch submitted by Simon Wilkinson <simon@sxw.org.uk>.
parent dc441334
......@@ -1046,7 +1046,7 @@ backend_group(
target, gr_ndn, op_ndn,
group_oc, group_at );
if (op->o_tag != LDAP_REQ_BIND) {
if ( op->o_tag != LDAP_REQ_BIND && !op->o_do_not_cache ) {
g = ch_malloc(sizeof(GroupAssertion) + gr_ndn->bv_len);
g->ga_be = be;
g->ga_oc = group_oc;
......
......@@ -852,6 +852,7 @@ LDAP_SLAPD_F (void) slap_sasl2dn LDAP_P((
struct berval *saslname,
struct berval *dn ));
LDAP_SLAPD_F (int) slap_sasl_authorized LDAP_P((
Connection *conn,
struct berval *authcid,
struct berval *authzid ));
LDAP_SLAPD_F (int) slap_sasl_regexp_config LDAP_P((
......
......@@ -780,7 +780,7 @@ slap_sasl_authorize(
AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
rc = slap_sasl_authorized( &authcDN, &authzDN );
rc = slap_sasl_authorized( conn, &authcDN, &authzDN );
ch_free( authcDN.bv_val );
if ( rc != LDAP_SUCCESS ) {
#ifdef NEW_LOGGING
......@@ -887,7 +887,7 @@ slap_sasl_authorize(
return SASL_NOAUTHZ;
}
rc = slap_sasl_authorized( &authcDN, &authzDN );
rc = slap_sasl_authorized(conn, &authcDN, &authzDN );
ch_free( authcDN.bv_val );
if( rc ) {
#ifdef NEW_LOGGING
......
......@@ -489,8 +489,9 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn
op.o_ndn = *saslname;
op.o_callback = &cb;
op.o_time = slap_get_time();
op.o_do_not_cache = 1;
(*be->be_search)( be, NULL, &op, NULL, &uri.dn,
(*be->be_search)( be, conn, &op, NULL, &uri.dn,
uri.scope, LDAP_DEREF_NEVER, 1, 0,
filter, NULL, NULL, 1 );
......@@ -542,7 +543,7 @@ static int sasl_sc_smatch( BackendDB *be, Connection *conn, Operation *o,
*/
static
int slap_sasl_match( struct berval *rule, struct berval *assertDN, struct berval *authc )
int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assertDN, struct berval *authc )
{
struct berval searchbase = {0, NULL};
int rc, scope;
......@@ -609,8 +610,9 @@ int slap_sasl_match( struct berval *rule, struct berval *assertDN, struct berval
op.o_ndn = *authc;
op.o_callback = &cb;
op.o_time = slap_get_time();
op.o_do_not_cache = 1;
(*be->be_search)( be, /*conn=*/NULL, &op, /*base=*/NULL, &searchbase,
(*be->be_search)( be, conn, &op, /*base=*/NULL, &searchbase,
scope, /*deref=*/1, /*sizelimit=*/0, /*time=*/0, filter, /*fstr=*/NULL,
/*attrs=*/NULL, /*attrsonly=*/0 );
......@@ -643,7 +645,11 @@ CONCLUDED:
* The DNs should not have the dn: prefix
*/
static int
slap_sasl_check_authz(struct berval *searchDN, struct berval *assertDN, AttributeDescription *ad, struct berval *authc)
slap_sasl_check_authz( Connection *conn,
struct berval *searchDN,
struct berval *assertDN,
AttributeDescription *ad,
struct berval *authc )
{
int i, rc;
BerVarray vals=NULL;
......@@ -664,7 +670,7 @@ slap_sasl_check_authz(struct berval *searchDN, struct berval *assertDN, Attribut
/* Check if the *assertDN matches any **vals */
for( i=0; vals[i].bv_val != NULL; i++ ) {
rc = slap_sasl_match( &vals[i], assertDN, authc );
rc = slap_sasl_match( conn, &vals[i], assertDN, authc );
if ( rc == LDAP_SUCCESS )
goto COMPLETE;
}
......@@ -691,7 +697,8 @@ COMPLETE:
* The DNs should not have the dn: prefix
*/
int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN )
int slap_sasl_authorized( Connection *conn,
struct berval *authcDN, struct berval *authzDN )
{
int rc = LDAP_INAPPROPRIATE_AUTH;
......@@ -719,7 +726,7 @@ int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN )
/* Check source rules */
if( authz_policy & SASL_AUTHZ_TO ) {
rc = slap_sasl_check_authz( authcDN, authzDN,
rc = slap_sasl_check_authz( conn, authcDN, authzDN,
slap_schema.si_ad_saslAuthzTo, authcDN );
if( rc == LDAP_SUCCESS ) {
goto DONE;
......@@ -728,7 +735,7 @@ int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN )
/* Check destination rules */
if( authz_policy & SASL_AUTHZ_FROM ) {
rc = slap_sasl_check_authz( authzDN, authcDN,
rc = slap_sasl_check_authz( conn, authzDN, authcDN,
slap_schema.si_ad_saslAuthzFrom, authcDN );
if( rc == LDAP_SUCCESS ) {
goto DONE;
......
......@@ -1490,6 +1490,8 @@ typedef struct slap_op {
volatile sig_atomic_t o_abandon; /* abandon flag */
char o_do_not_cache; /* don't cache from this op */
#define SLAP_NO_CONTROL 0
#define SLAP_NONCRITICAL_CONTROL 1
#define SLAP_CRITICAL_CONTROL 2
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment