Fix for:

SASL regex segmentation faults with group based acls (ITS#1978) based, in part, by patch submitted by Simon Wilkinson <simon@sxw.org.uk>.

Fix for:
SASL regex segmentation faults with group based acls (ITS#1978) based, in part, by patch submitted by Simon Wilkinson <simon@sxw.org.uk>.
eb581e43 · Kurt Zeilenga · dc441334 · eb581e43 · eb581e43 · eb581e43
Commit eb581e43 authored Jul 28, 2002 by Kurt Zeilenga
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -1046,7 +1046,7 @@ backend_group(
 			target, gr_ndn, op_ndn,
 			group_oc, group_at );
 		
-		if (op->o_tag != LDAP_REQ_BIND) {
+		if ( op->o_tag != LDAP_REQ_BIND && !op->o_do_not_cache ) {
 			g = ch_malloc(sizeof(GroupAssertion) + gr_ndn->bv_len);
 			g->ga_be = be;
 			g->ga_oc = group_oc;

--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -852,6 +852,7 @@ LDAP_SLAPD_F (void) slap_sasl2dn LDAP_P((
 	struct berval *saslname,
 	struct berval *dn ));
 LDAP_SLAPD_F (int) slap_sasl_authorized LDAP_P((
+	Connection *conn,
 	struct berval *authcid,
 	struct berval *authzid ));
 LDAP_SLAPD_F (int) slap_sasl_regexp_config LDAP_P((

--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -780,7 +780,7 @@ slap_sasl_authorize(
 	
 	AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );

-	rc = slap_sasl_authorized( &authcDN, &authzDN );
+	rc = slap_sasl_authorized( conn, &authcDN, &authzDN );
 	ch_free( authcDN.bv_val );
 	if ( rc != LDAP_SUCCESS ) {
 #ifdef NEW_LOGGING
@@ -887,7 +887,7 @@ slap_sasl_authorize(
 		return SASL_NOAUTHZ;
 	}

-	rc = slap_sasl_authorized( &authcDN, &authzDN );
+	rc = slap_sasl_authorized(conn, &authcDN, &authzDN );
 	ch_free( authcDN.bv_val );
 	if( rc ) {
 #ifdef NEW_LOGGING

--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -489,8 +489,9 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn
 	op.o_ndn = *saslname;
 	op.o_callback = &cb;
 	op.o_time = slap_get_time();
+	op.o_do_not_cache = 1;

-	(*be->be_search)( be, NULL, &op, NULL, &uri.dn,
+	(*be->be_search)( be, conn, &op, NULL, &uri.dn,
 		uri.scope, LDAP_DEREF_NEVER, 1, 0,
 		filter, NULL, NULL, 1 );
 	
@@ -542,7 +543,7 @@ static int sasl_sc_smatch( BackendDB *be, Connection *conn, Operation *o,
 */

 static
-int slap_sasl_match( struct berval *rule, struct berval *assertDN, struct berval *authc )
+int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assertDN, struct berval *authc )
 {
 	struct berval searchbase = {0, NULL};
 	int rc, scope;
@@ -609,8 +610,9 @@ int slap_sasl_match( struct berval *rule, struct berval *assertDN, struct berval
 	op.o_ndn = *authc;
 	op.o_callback = &cb;
 	op.o_time = slap_get_time();
+	op.o_do_not_cache = 1;

-	(*be->be_search)( be, /*conn=*/NULL, &op, /*base=*/NULL, &searchbase,
+	(*be->be_search)( be, conn, &op, /*base=*/NULL, &searchbase,
 	   scope, /*deref=*/1, /*sizelimit=*/0, /*time=*/0, filter, /*fstr=*/NULL,
 	   /*attrs=*/NULL, /*attrsonly=*/0 );

@@ -643,7 +645,11 @@ CONCLUDED:
 * The DNs should not have the dn: prefix
 */
 static int
-slap_sasl_check_authz(struct berval *searchDN, struct berval *assertDN, AttributeDescription *ad, struct berval *authc)
+slap_sasl_check_authz( Connection *conn,
+	struct berval *searchDN,
+	struct berval *assertDN,
+	AttributeDescription *ad,
+	struct berval *authc )
 {
 	int i, rc;
 	BerVarray vals=NULL;
@@ -664,7 +670,7 @@ slap_sasl_check_authz(struct berval *searchDN, struct berval *assertDN, Attribut

 	/* Check if the *assertDN matches any **vals */
 	for( i=0; vals[i].bv_val != NULL; i++ ) {
-		rc = slap_sasl_match( &vals[i], assertDN, authc );
+		rc = slap_sasl_match( conn, &vals[i], assertDN, authc );
 		if ( rc == LDAP_SUCCESS )
 			goto COMPLETE;
 	}
@@ -691,7 +697,8 @@ COMPLETE:
 * The DNs should not have the dn: prefix
 */

-int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN )
+int slap_sasl_authorized( Connection *conn,
+	struct berval *authcDN, struct berval *authzDN )
 {
 	int rc = LDAP_INAPPROPRIATE_AUTH;

@@ -719,7 +726,7 @@ int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN )

 	/* Check source rules */
 	if( authz_policy & SASL_AUTHZ_TO ) {
-		rc = slap_sasl_check_authz( authcDN, authzDN,
+		rc = slap_sasl_check_authz( conn, authcDN, authzDN,
 			slap_schema.si_ad_saslAuthzTo, authcDN );
 		if( rc == LDAP_SUCCESS ) {
 			goto DONE;
@@ -728,7 +735,7 @@ int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN )

 	/* Check destination rules */
 	if( authz_policy & SASL_AUTHZ_FROM ) {
-		rc = slap_sasl_check_authz( authzDN, authcDN,
+		rc = slap_sasl_check_authz( conn, authzDN, authcDN,
 			slap_schema.si_ad_saslAuthzFrom, authcDN );
 		if( rc == LDAP_SUCCESS ) {
 			goto DONE;

--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1490,6 +1490,8 @@ typedef struct slap_op {

 	volatile sig_atomic_t o_abandon;	/* abandon flag */

+	char o_do_not_cache;	/* don't cache from this op */
+
 #define SLAP_NO_CONTROL 0
 #define SLAP_NONCRITICAL_CONTROL 1
 #define SLAP_CRITICAL_CONTROL 2