From: Pierangelo Masarati <ando@openldap.org>
Date: Mon, 20 Oct 2008 23:16:40 +0000 (+0000)
Subject: NO-OP must be critical and apply to selected operations (ITS#5758)
X-Git-Tag: ACLCHECK_0~1216
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=e233a8e9ee1bcc6b19dd5f2728de951486692614;p=openldap

NO-OP must be critical and apply to selected operations (ITS#5758)
---

diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index f2efdd1696..05aa30e284 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -1038,6 +1038,26 @@ static int parseNoOp (
 		return LDAP_PROTOCOL_ERROR;
 	}
 
+	if ( !ctrl->ldctl_iscritical ) {
+		rs->sr_text = "noop control not critical";
+		return LDAP_PROTOCOL_ERROR;
+	}
+
+	switch ( op->o_tag ) {
+	case LDAP_REQ_ADD:
+	case LDAP_REQ_MODIFY:
+	case LDAP_REQ_RENAME:
+	case LDAP_REQ_DELETE:
+	/* NOTE: only selected extended operations should be eligible;
+	 * checking is delegated to the appropriate handlers */
+	case LDAP_REQ_EXTENDED:
+		break;
+
+	default:
+		rs->sr_text = "noop control on non-allowed operation";
+		return LDAP_PROTOCOL_ERROR;
+	}
+
 	op->o_noop = ctrl->ldctl_iscritical
 		? SLAP_CONTROL_CRITICAL
 		: SLAP_CONTROL_NONCRITICAL;