more about sizelimit disclose issue in back-meta (ITS#4213)

diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c
index 08f61b904db42c98b706b82f4aeeeacbb6191225..f1f8bc2d97d1beb2511d44790604837381c0f184 100644 (file)
--- a/servers/slapd/back-meta/search.c
+++ b/servers/slapd/back-meta/search.c
@@ -453,7 +453,7 @@ really_bad:;
                                ldap_msgfree( res );
                                res = NULL;
 
-                               switch ( rc ) {
+                               switch ( rs->sr_err ) {
                                case LDAP_SIZELIMIT_EXCEEDED:
                                        savepriv = op->o_private;
                                        op->o_private = (void *)i;

diff --git a/tests/data/meta.out b/tests/data/meta.out
index 4826865aa71d075cdf188ce3e1c9de9b8e2809a1..c6aeffe5cbcfd93328b2575717e4387f5642275e 100644 (file)
--- a/tests/data/meta.out
+++ b/tests/data/meta.out
@@ -1442,3 +1442,29 @@ member: cn=Another Added Group,ou=Groups,o=Example,c=US
 
 # refldap://localhost:9016/cn=Somewhere,ou=Meta,dc=example,dc=com??sub
 
+# Checking server-enforced size limit...
+Size limit exceeded (4)
+dn: ou=Alumni Association,ou=People,o=Example,c=US
+
+dn: cn=Dan Aykroyd,ou=Meta,o=Example,c=US
+
+dn: o=Example,c=US
+
+dn: ou=Groups,o=Example,c=US
+
+dn: cn=John Belushi,ou=Meta,o=Example,c=US
+
+dn: ou=Meta,o=Example,c=US
+
+dn: ou=People,o=Example,c=US
+
+dn: ou=Same as above,ou=Meta,o=Example,c=US
+
+# refldap://localhost:9016/cn=Somewhere,ou=Meta,dc=example,dc=com??sub
+
+# Checking client-requested size limit...
+Size limit exceeded (4)
+dn: o=Example,c=US
+
+dn: ou=Meta,o=Example,c=US
+

diff --git a/tests/data/slapd-meta.conf b/tests/data/slapd-meta.conf
index e92ac94655b0388848fe375b4a35cded7d1cdeb2..41db0433a2d428b216b272a7ab0fb57e0b38e7a4 100644 (file)
--- a/tests/data/slapd-meta.conf
+++ b/tests/data/slapd-meta.conf
@@ -59,4 +59,6 @@ suffixmassage "o=Example,c=US" "dc=example,dc=com"
 pseudorootdn   "cn=manager,dc=example,dc=com"
 pseudorootpw   secret
 
+limits         dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Example,c=US" time=1 size=8
+
 #monitor#database      monitor

diff --git a/tests/scripts/test035-meta b/tests/scripts/test035-meta
index f66d5cc984c00651a86600fe9aa2e3a8bd5142bf..30075cea8447dedcab14fd1b449763111681ed8c 100755 (executable)
--- a/tests/scripts/test035-meta
+++ b/tests/scripts/test035-meta
@@ -471,6 +471,50 @@ case $RC in
        ;;
 esac
 
+echo "Checking server-enforced size limit..."
+echo "# Checking server-enforced size limit..." >> $SEARCHOUT
+$LDAPSEARCH -S "" -h $LOCALHOST -p $PORT3 \
+       -D "cn=Bjorn Jensen,ou=Information Technology Division,ou=People,$BASEDN" -w bjorn \
+       -b "$BASEDN" "(objectClass=*)" 1.1 \
+       >> $SEARCHOUT 2>&1
+RC=$?
+case $RC in 
+       0)
+               echo "Search should have failed ($RC)!"
+               test $KILLSERVERS != no && kill -HUP $KILLPIDS
+               exit -1
+       ;;
+       4)
+       ;;
+       *)
+               echo "Search failed ($RC)!"
+               test $KILLSERVERS != no && kill -HUP $KILLPIDS
+               exit $RC
+       ;;
+esac
+
+echo "Checking client-requested size limit..."
+echo "# Checking client-requested size limit..." >> $SEARCHOUT
+$LDAPSEARCH -S "" -h $LOCALHOST -p $PORT3 \
+       -D "cn=Bjorn Jensen,ou=Information Technology Division,ou=People,$BASEDN" -w bjorn \
+       -b "$BASEDN" -z 2 "(objectClass=*)" 1.1 \
+       >> $SEARCHOUT 2>&1
+RC=$?
+case $RC in 
+       0)
+               echo "Search should have failed ($RC)!"
+               test $KILLSERVERS != no && kill -HUP $KILLPIDS
+               exit -1
+       ;;
+       4)
+       ;;
+       *)
+               echo "Search failed ($RC)!"
+               test $KILLSERVERS != no && kill -HUP $KILLPIDS
+               exit $RC
+       ;;
+esac
+
 echo "Filtering ldapsearch results..."
 . $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
 echo "Filtering original ldif used to create database..."