Fix for:

	SASL regex segmentation faults with group based acls (ITS#1978)
based, in part, by patch submitted by Simon Wilkinson <simon@sxw.org.uk>.

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 8fb2e9a5223c4e9e03df6f1f48f3754e92a56e5b..3389fceddd787c5ef4cc25a028c3bec3df7a3f3f 100644 (file)
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -1046,7 +1046,7 @@ backend_group(
                        target, gr_ndn, op_ndn,
                        group_oc, group_at );
                
-               if (op->o_tag != LDAP_REQ_BIND) {
+               if ( op->o_tag != LDAP_REQ_BIND && !op->o_do_not_cache ) {
                        g = ch_malloc(sizeof(GroupAssertion) + gr_ndn->bv_len);
                        g->ga_be = be;
                        g->ga_oc = group_oc;

diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 6503d5322ec7ef841df00492d0daa4b5311a8f1f..583b09e5b1fbb6af05bbd40df8061fec4988b655 100644 (file)
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -852,6 +852,7 @@ LDAP_SLAPD_F (void) slap_sasl2dn LDAP_P((
        struct berval *saslname,
        struct berval *dn ));
 LDAP_SLAPD_F (int) slap_sasl_authorized LDAP_P((
+       Connection *conn,
        struct berval *authcid,
        struct berval *authzid ));
 LDAP_SLAPD_F (int) slap_sasl_regexp_config LDAP_P((

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index b9b23458d250445ea3c280dfdf0ae12436872f63..be7b1bb51368184bfe5dc8c897e53c0fa3d2ff77 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -780,7 +780,7 @@ slap_sasl_authorize(
        
        AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
 
-       rc = slap_sasl_authorized( &authcDN, &authzDN );
+       rc = slap_sasl_authorized( conn, &authcDN, &authzDN );
        ch_free( authcDN.bv_val );
        if ( rc != LDAP_SUCCESS ) {
 #ifdef NEW_LOGGING
@@ -887,7 +887,7 @@ slap_sasl_authorize(
                return SASL_NOAUTHZ;
        }
 
-       rc = slap_sasl_authorized( &authcDN, &authzDN );
+       rc = slap_sasl_authorized(conn, &authcDN, &authzDN );
        ch_free( authcDN.bv_val );
        if( rc ) {
 #ifdef NEW_LOGGING

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index ba3b1375738b91608642e0c2bf61e2feea143934..22e6894bcf9e2f8e8ac97806cad5233165a46f24 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -489,8 +489,9 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn
        op.o_ndn = *saslname;
        op.o_callback = &cb;
        op.o_time = slap_get_time();
+       op.o_do_not_cache = 1;
 
-       (*be->be_search)( be, NULL, &op, NULL, &uri.dn,
+       (*be->be_search)( be, conn, &op, NULL, &uri.dn,
                uri.scope, LDAP_DEREF_NEVER, 1, 0,
                filter, NULL, NULL, 1 );
        
@@ -542,7 +543,7 @@ static int sasl_sc_smatch( BackendDB *be, Connection *conn, Operation *o,
  */
 
 static
-int slap_sasl_match( struct berval *rule, struct berval *assertDN, struct berval *authc )
+int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assertDN, struct berval *authc )
 {
        struct berval searchbase = {0, NULL};
        int rc, scope;
@@ -609,8 +610,9 @@ int slap_sasl_match( struct berval *rule, struct berval *assertDN, struct berval
        op.o_ndn = *authc;
        op.o_callback = &cb;
        op.o_time = slap_get_time();
+       op.o_do_not_cache = 1;
 
-       (*be->be_search)( be, /*conn=*/NULL, &op, /*base=*/NULL, &searchbase,
+       (*be->be_search)( be, conn, &op, /*base=*/NULL, &searchbase,
           scope, /*deref=*/1, /*sizelimit=*/0, /*time=*/0, filter, /*fstr=*/NULL,
           /*attrs=*/NULL, /*attrsonly=*/0 );
 
@@ -643,7 +645,11 @@ CONCLUDED:
  * The DNs should not have the dn: prefix
  */
 static int
-slap_sasl_check_authz(struct berval *searchDN, struct berval *assertDN, AttributeDescription *ad, struct berval *authc)
+slap_sasl_check_authz( Connection *conn,
+       struct berval *searchDN,
+       struct berval *assertDN,
+       AttributeDescription *ad,
+       struct berval *authc )
 {
        int i, rc;
        BerVarray vals=NULL;
@@ -664,7 +670,7 @@ slap_sasl_check_authz(struct berval *searchDN, struct berval *assertDN, Attribut
 
        /* Check if the *assertDN matches any **vals */
        for( i=0; vals[i].bv_val != NULL; i++ ) {
-               rc = slap_sasl_match( &vals[i], assertDN, authc );
+               rc = slap_sasl_match( conn, &vals[i], assertDN, authc );
                if ( rc == LDAP_SUCCESS )
                        goto COMPLETE;
        }
@@ -691,7 +697,8 @@ COMPLETE:
  * The DNs should not have the dn: prefix
  */
 
-int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN )
+int slap_sasl_authorized( Connection *conn,
+       struct berval *authcDN, struct berval *authzDN )
 {
        int rc = LDAP_INAPPROPRIATE_AUTH;
 
@@ -719,7 +726,7 @@ int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN )
 
        /* Check source rules */
        if( authz_policy & SASL_AUTHZ_TO ) {
-               rc = slap_sasl_check_authz( authcDN, authzDN,
+               rc = slap_sasl_check_authz( conn, authcDN, authzDN,
                        slap_schema.si_ad_saslAuthzTo, authcDN );
                if( rc == LDAP_SUCCESS ) {
                        goto DONE;
@@ -728,7 +735,7 @@ int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN )
 
        /* Check destination rules */
        if( authz_policy & SASL_AUTHZ_FROM ) {
-               rc = slap_sasl_check_authz( authzDN, authcDN,
+               rc = slap_sasl_check_authz( conn, authzDN, authcDN,
                        slap_schema.si_ad_saslAuthzFrom, authcDN );
                if( rc == LDAP_SUCCESS ) {
                        goto DONE;

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 358ac633408191b672fe384e91748b9500ca8097..83456e3ecbcae740ea7541e00cce8584e4acd934 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1490,6 +1490,8 @@ typedef struct slap_op {
 
        volatile sig_atomic_t o_abandon;        /* abandon flag */
 
+       char o_do_not_cache;    /* don't cache from this op */
+
 #define SLAP_NO_CONTROL 0
 #define SLAP_NONCRITICAL_CONTROL 1
 #define SLAP_CRITICAL_CONTROL 2