paranoid check for escaped dn separators when naively checking for rdn boundary

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index f2b9d36caea25afa3e796c54188126b519a4cb13..7c8a3a0a953b2e1d15fc6ab28e941a4d2fb021f7 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -352,7 +352,7 @@ acl_get(
                                        if ( dnlen <= patlen )
                                                continue;
 
-                                       if ( e->e_ndn[dnlen - patlen - 1] != ',' )
+                                       if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) || DN_ESCAPE( e->e_ndn[dnlen - patlen - 2] ) )
                                                continue;
 
                                        rdn = dn_rdn( NULL, e->e_ndn );
@@ -364,13 +364,13 @@ acl_get(
                                                continue;
 
                                } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) {
-                                       if ( dnlen > patlen && e->e_ndn[dnlen - patlen - 1] != ',' )
+                                       if ( dnlen > patlen && ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) || DN_ESCAPE( e->e_ndn[dnlen - patlen - 2] ) ) )
                                                continue;
 
                                } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) {
                                        if ( dnlen <= patlen )
                                                continue;
-                                       if ( e->e_ndn[dnlen - patlen - 1] != ',' )
+                                       if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) || DN_ESCAPE( e->e_ndn[dnlen - patlen - 2] ) )
                                                continue;
                                }
 
@@ -559,7 +559,7 @@ acl_mask(
                                        if ( odnlen <= patlen )
                                                continue;
 
-                                       if ( op->o_ndn[odnlen - patlen - 1] != ',' )
+                                       if ( !DN_SEPARATOR( op->o_ndn[odnlen - patlen - 1] ) || DN_ESCAPE( op->o_ndn[odnlen - patlen - 2] ) )
                                                continue;
 
                                        rdn = dn_rdn( NULL, op->o_ndn );
@@ -571,13 +571,13 @@ acl_mask(
                                                continue;
 
                                } else if ( b->a_dn_style == ACL_STYLE_SUBTREE ) {
-                                       if ( odnlen > patlen && op->o_ndn[odnlen - patlen - 1] != ',' )
+                                       if ( odnlen > patlen && ( !DN_SEPARATOR( op->o_ndn[odnlen - patlen - 1] ) || DN_ESCAPE( op->o_ndn[odnlen - patlen - 2] ) ) )
                                                continue;
 
                                } else if ( b->a_dn_style == ACL_STYLE_CHILDREN ) {
                                        if ( odnlen <= patlen )
                                                continue;
-                                       if ( op->o_ndn[odnlen - patlen - 1] != ',' )
+                                       if ( !DN_SEPARATOR( op->o_ndn[odnlen - patlen - 1] ) || DN_ESCAPE( op->o_ndn[odnlen - patlen - 2] ) )
                                                continue;
                                }
 

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 86a787b76f081826eda81749b2ee08aa1f1f896c..85ce0983744751b6114445373d94cdaa05739039 100644 (file)
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -525,7 +525,7 @@ select_backend(
                        }
 
                        
-                       if ( len && len < dnlen && !DN_SEPARATOR( dn[(dnlen-len)-1] ) ) {
+                       if ( len && len < dnlen && ( !DN_SEPARATOR( dn[(dnlen-len)-1] ) || DN_ESCAPE( dn[(dnlen-len)-2] ) ) ) {
                                /* make sure we have a separator */
                                continue;
                        }

diff --git a/servers/slapd/limits.c b/servers/slapd/limits.c
index 65f87d87f78b122776e0e189d7a1870b5be01ec8..f45785921de596a55b0385b671d236f687de423c 100644 (file)
--- a/servers/slapd/limits.c
+++ b/servers/slapd/limits.c
@@ -68,7 +68,7 @@ get_limits(
                                }
                        } else {
                                /* check for unescaped rdn separator */
-                               if ( !DN_SEPARATOR( ndn[d-1] ) || SLAP_ESCAPE_CHAR == ndn[d-2] ) {
+                               if ( !DN_SEPARATOR( ndn[d-1] ) || DN_ESCAPE( ndn[d-2] ) ) {
                                        break;
                                }
                        }

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index cd7909aeb6d449ef18eb4f2e74afae9eb568eec4..25ba691f615630e1933b289901638a52057f8a3e 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -85,6 +85,7 @@ LDAP_BEGIN_DECL
 #define FILTER_ESCAPE(c) ( (c) == '*' || (c) == '\\' \
        || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) )
 
+#define DN_ESCAPE(c)   ((c) == SLAP_ESCAPE_CHAR)
 #define DN_SEPARATOR(c)        ((c) == ',' || (c) == ';')
 #define RDN_ATTRTYPEANDVALUE_SEPARATOR(c) ((c) == '+') /* RFC 2253 */
 #define RDN_SEPARATOR(c) (DN_SEPARATOR(c) || RDN_ATTRTYPEANDVALUE_SEPARATOR(c))