ITS#1716 is_entry_subentr/ies/y/

[openldap] / servers / slapd / dn.c

diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c
index 031c6c7fa8aca62ea108f9c00caa64c392933d82..450691d326a5c076b48dfc116a07b0e8f5f409b5 100644 (file)
--- a/servers/slapd/dn.c
+++ b/servers/slapd/dn.c
@@ -22,6 +22,8 @@ const struct berval slap_empty_bv = { 0, "" };
 
 #define SLAP_LDAPDN_PRETTY 0x1
 
+#define SLAP_LDAPDN_MAXLEN 8192
+
 /*
  * The DN syntax-related functions take advantage of the dn representation
  * handling functions ldap_str2dn/ldap_dn2str.  The latter are not schema-
@@ -113,24 +115,30 @@ dnValidate(
        assert( in );
 
        if ( in->bv_len == 0 ) {
-               return( LDAP_SUCCESS );
+               return LDAP_SUCCESS;
+
+       } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) {
+               return LDAP_INVALID_SYNTAX;
        }
 
        rc = ldap_bv2dn( in, &dn, LDAP_DN_FORMAT_LDAP );
+       if ( rc != LDAP_SUCCESS ) {
+               return LDAP_INVALID_SYNTAX;
+       }
+
+       assert( strlen( in->bv_val ) == in->bv_len );
 
        /*
         * Schema-aware validate
         */
-       if ( rc == LDAP_SUCCESS ) {
-               rc = LDAPDN_validate( dn );
-               ldap_dnfree( dn );
-       }
-       
+       rc = LDAPDN_validate( dn );
+       ldap_dnfree( dn );
+
        if ( rc != LDAP_SUCCESS ) {
-               return( LDAP_INVALID_SYNTAX );
+               return LDAP_INVALID_SYNTAX;
        }
 
-       return( LDAP_SUCCESS );
+       return LDAP_SUCCESS;
 }
 
 /*
@@ -234,6 +242,7 @@ LDAPDN_rewrite( LDAPDN *dn, unsigned flags )
                for ( iAVA = 0; rdn[ 0 ][ iAVA ]; iAVA++ ) {
                        LDAPAVA                 *ava = rdn[ 0 ][ iAVA ];
                        AttributeDescription    *ad;
+                       slap_syntax_validate_func *validf = NULL;
                        slap_syntax_transform_func *transf = NULL;
                        MatchingRule *mr;
                        struct berval           bv = { 0, NULL };
@@ -260,17 +269,31 @@ LDAPDN_rewrite( LDAPDN *dn, unsigned flags )
 
                        if( ava->la_flags & LDAP_AVA_BINARY ) {
                                /* AVA is binary encoded, don't muck with it */
+                               validf = NULL;
                                transf = NULL;
                                mr = NULL;
-
                        } else if( flags & SLAP_LDAPDN_PRETTY ) {
+                               validf = NULL;
                                transf = ad->ad_type->sat_syntax->ssyn_pretty;
                                mr = NULL;
                        } else {
+                               validf = ad->ad_type->sat_syntax->ssyn_validate;
                                transf = ad->ad_type->sat_syntax->ssyn_normalize;
                                mr = ad->ad_type->sat_equality;
                        }
 
+                       if ( validf ) {
+                               /* validate value before normalization */
+                               rc = ( *validf )( ad->ad_type->sat_syntax,
+                                       ava->la_value.bv_len
+                                               ? &ava->la_value
+                                               : (struct berval *) &slap_empty_bv );
+
+                               if ( rc != LDAP_SUCCESS ) {
+                                       return LDAP_INVALID_SYNTAX;
+                               }
+                       }
+
                        if ( transf ) {
                                /*
                                 * transform value by normalize/pretty function
@@ -290,9 +313,10 @@ LDAPDN_rewrite( LDAPDN *dn, unsigned flags )
                        if( mr && ( mr->smr_usage & SLAP_MR_DN_FOLD ) ) {
                                char *s = bv.bv_val;
 
-                               ber_str2bv( UTF8normalize( bv.bv_val ? &bv
-                                       : &ava->la_value, LDAP_UTF8_CASEFOLD ),
-                                       0, 0, &bv );
+                               if ( UTF8bvnormalize( &bv, &bv, 
+                                               LDAP_UTF8_CASEFOLD ) == NULL ) {
+                                       return LDAP_INVALID_SYNTAX;
+                               }
                                free( s );
                        }
 
@@ -354,6 +378,8 @@ dnNormalize2(
                        return LDAP_INVALID_SYNTAX;
                }
 
+               assert( strlen( val->bv_val ) == val->bv_len );
+
                /*
                 * Schema-aware rewrite
                 */
@@ -415,7 +441,13 @@ dnPretty2(
 
        Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 );
 
-       if ( val->bv_len != 0 ) {
+       if ( val->bv_len == 0 ) {
+               ber_dupbv( out, val );
+
+       } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
+               return LDAP_INVALID_SYNTAX;
+
+       } else {
                LDAPDN          *dn = NULL;
                int             rc;
 
@@ -425,6 +457,8 @@ dnPretty2(
                        return LDAP_INVALID_SYNTAX;
                }
 
+               assert( strlen( val->bv_val ) == val->bv_len );
+
                /*
                 * Schema-aware rewrite
                 */
@@ -445,8 +479,6 @@ dnPretty2(
                if ( rc != LDAP_SUCCESS ) {
                        return LDAP_INVALID_SYNTAX;
                }
-       } else {
-               ber_dupbv( out, val );
        }
 
        Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 );
@@ -470,7 +502,15 @@ dnPrettyNormal(
        assert( pretty );
        assert( normal );
 
-       if ( val->bv_len != 0 ) {
+       if ( val->bv_len == 0 ) {
+               ber_dupbv( pretty, val );
+               ber_dupbv( normal, val );
+
+       } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
+               /* too big */
+               return LDAP_INVALID_SYNTAX;
+
+       } else {
                LDAPDN          *dn = NULL;
                int             rc;
 
@@ -479,17 +519,14 @@ dnPrettyNormal(
                pretty->bv_len = 0;
                normal->bv_len = 0;
 
-               /* FIXME: str2dn should take a bv and handle this */
-               if( strlen( val->bv_val ) != val->bv_len ) {
-                       return LDAP_INVALID_SYNTAX;
-               }
-
                /* FIXME: should be liberal in what we accept */
                rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP );
                if ( rc != LDAP_SUCCESS ) {
                        return LDAP_INVALID_SYNTAX;
                }
 
+               assert( strlen( val->bv_val ) == val->bv_len );
+
                /*
                 * Schema-aware rewrite
                 */
@@ -523,9 +560,6 @@ dnPrettyNormal(
                        pretty->bv_len = 0;
                        return LDAP_INVALID_SYNTAX;
                }
-       } else {
-               ber_dupbv( pretty, val );
-               ber_dupbv( normal, val );
        }
 
        Debug( LDAP_DEBUG_TRACE, "<<< dnPrettyNormal: <%s>, <%s>\n",
@@ -556,7 +590,8 @@ dnMatch(
        match = value->bv_len - asserted->bv_len;
 
        if ( match == 0 ) {
-               match = strcmp( value->bv_val, asserted->bv_val );
+               match = memcmp( value->bv_val, asserted->bv_val, 
+                               value->bv_len );
        }
 
 #ifdef NEW_LOGGING
@@ -619,7 +654,7 @@ dnExtractRdn(
                return LDAP_OTHER;
        }
 
-       rc = ldap_str2rdn( dn->bv_val, &tmpRDN, (char **)&p, LDAP_DN_FORMAT_LDAP );
+       rc = ldap_bv2rdn( dn, &tmpRDN, (char **)&p, LDAP_DN_FORMAT_LDAP );
        if ( rc != LDAP_SUCCESS ) {
                return rc;
        }
@@ -676,7 +711,9 @@ rdnValidate( struct berval *rdn )
         * input is a pretty or normalized DN
         * hence, we can just search for ','
         */
-       if( rdn == NULL || rdn->bv_len == 0 ) {
+       if( rdn == NULL || rdn->bv_len == 0 ||
+               rdn->bv_len > SLAP_LDAPDN_MAXLEN )
+       {
                return LDAP_INVALID_SYNTAX;
        }
 
@@ -698,7 +735,7 @@ rdnValidate( struct berval *rdn )
        /*
         * must be parsable
         */
-       rc = ldap_str2rdn( rdn, &RDN, (char **)&p, LDAP_DN_FORMAT_LDAP );
+       rc = ldap_bv2rdn( rdn, &RDN, (char **)&p, LDAP_DN_FORMAT_LDAP );
        if ( rc != LDAP_SUCCESS ) {
                return 0;
        }