fix small issues with dynacl and ACI in general

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index d1801f898dc96f698081bac709ae2f2fa75a8292..265b4cb4a60f83c5dc04725b5b5618339796fe73 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -1387,14 +1387,15 @@ slap_acl_mask(
        AccessControlState      *state )
 {
        int             i;
-       Access  *b;
+       Access          *b;
 #ifdef LDAP_DEBUG
-       char accessmaskbuf[ACCESSMASK_MAXLEN];
+       char            accessmaskbuf[ACCESSMASK_MAXLEN];
 #if !defined( SLAP_DYNACL ) && defined( SLAPD_ACI_ENABLED )
-       char accessmaskbuf1[ACCESSMASK_MAXLEN];
+       char            accessmaskbuf1[ACCESSMASK_MAXLEN];
 #endif /* !SLAP_DYNACL && SLAPD_ACI_ENABLED */
 #endif /* DEBUG */
-       const char *attr;
+       const char      *attr;
+       slap_mask_t     a2pmask = ACL_ACCESS2PRIV( *mask );
 
        assert( a != NULL );
        assert( mask != NULL );
@@ -1973,7 +1974,7 @@ slap_acl_mask(
                        /* first check if the right being requested
                         * is allowed by the ACL clause.
                         */
-                       if ( ! ACL_GRANT( b->a_access_mask, *mask ) ) {
+                       if ( ! ACL_PRIV_ISSET( b->a_access_mask, a2pmask ) ) {
                                continue;
                        }
 
@@ -1982,7 +1983,11 @@ slap_acl_mask(
                        ACL_INIT(tdeny);
 
                        for ( da = b->a_dynacl; da; da = da->da_next ) {
-                               slap_access_t   grant, deny;
+                               slap_access_t   grant,
+                                               deny;
+
+                               ACL_INIT(grant);
+                               ACL_INIT(deny);
 
                                Debug( LDAP_DEBUG_ACL, "    <= check a_dynacl: %s\n",
                                        da->da_name, 0, 0 );
@@ -2067,11 +2072,11 @@ slap_acl_mask(
                                * rights given by the acis.
                                */
                                for ( i = 0; !BER_BVISNULL( &at->a_nvals[i] ); i++ ) {
-                                       if (aci_mask( op,
+                                       if ( aci_mask( op,
                                                e, desc, val,
                                                &at->a_nvals[i],
                                                nmatch, matches,
-                                               &grant, &deny, SLAP_ACI_SCOPE_ENTRY ) != 0)
+                                               &grant, &deny, SLAP_ACI_SCOPE_ENTRY ) != 0 )
                                        {
                                                tgrant |= grant;
                                                tdeny |= deny;
@@ -2098,13 +2103,13 @@ slap_acl_mask(
                                                        break;
                                                }
 
-                                               for( i = 0; bvals[i].bv_val != NULL; i++){
+                                               for ( i = 0; !BER_BVISNULL( &bvals[i] ); i++ ) {
 #if 0
                                                        /* FIXME: this breaks acl caching;
                                                         * see also ACL_RECORD_VALUE_STATE above */
                                                        ACL_RECORD_VALUE_STATE;
 #endif
-                                                       if (aci_mask(op, e, desc, val, &bvals[i],
+                                                       if ( aci_mask( op, e, desc, val, &bvals[i],
                                                                        nmatch, matches,
                                                                        &grant, &deny, SLAP_ACI_SCOPE_CHILDREN ) != 0 )
                                                        {
@@ -2213,6 +2218,8 @@ slap_acl_mask(
                        *mask = modmask;
                }
 
+               a2pmask = *mask;
+
                Debug( LDAP_DEBUG_ACL,
                        "<= acl_mask: [%d] mask: %s\n",
                        i, accessmask2str(*mask, accessmaskbuf, 1), 0 );

diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 4f55ae61d254e8fc664c3992cd5cc0455790fa47..5c124830d65478af79fca139662ce35be04e881e 100644 (file)
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -2250,6 +2250,20 @@ access_free( Access *a )
        if ( !BER_BVISNULL( &a->a_group_pat ) ) {
                free( a->a_group_pat.bv_val );
        }
+       if ( a->a_dynacl != NULL ) {
+               slap_dynacl_t   *da;
+               for ( da = a->a_dynacl; da; ) {
+                       slap_dynacl_t   *tmp = da;
+
+                       da = da->da_next;
+
+                       if ( tmp->da_destroy ) {
+                               tmp->da_destroy( tmp->da_private );
+                       }
+
+                       ch_free( tmp );
+               }
+       }
        free( a );
 }
 
@@ -2263,6 +2277,9 @@ acl_free( AccessControl *a )
                filter_free( a->acl_filter );
        }
        if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
+               if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
+                       regfree( &a->acl_dn_re );
+               }
                free ( a->acl_dn_pat.bv_val );
        }
        if ( a->acl_attrs ) {
@@ -2523,8 +2540,9 @@ access2text( Access *b, char *ptr )
 
                for ( da = b->a_dynacl; da; da = da->da_next ) {
                        if ( da->da_unparse ) {
-                               struct berval bv;
+                               struct berval bv = BER_BVNULL;
                                (void)( *da->da_unparse )( da->da_private, &bv );
+                               assert( !BER_BVISNULL( &bv ) );
                                ptr = lutil_strcopy( ptr, bv.bv_val );
                                ch_free( bv.bv_val );
                        }