From: Kurt Zeilenga Date: Sun, 28 Jul 2002 07:27:55 +0000 (+0000) Subject: Fix for: X-Git-Tag: NO_SLAP_OP_BLOCKS~1305 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=eb581e43e741d6a0d8b745597ad6445a60e66033;p=openldap Fix for: SASL regex segmentation faults with group based acls (ITS#1978) based, in part, by patch submitted by Simon Wilkinson . --- diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 8fb2e9a522..3389fceddd 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -1046,7 +1046,7 @@ backend_group( target, gr_ndn, op_ndn, group_oc, group_at ); - if (op->o_tag != LDAP_REQ_BIND) { + if ( op->o_tag != LDAP_REQ_BIND && !op->o_do_not_cache ) { g = ch_malloc(sizeof(GroupAssertion) + gr_ndn->bv_len); g->ga_be = be; g->ga_oc = group_oc; diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 6503d5322e..583b09e5b1 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -852,6 +852,7 @@ LDAP_SLAPD_F (void) slap_sasl2dn LDAP_P(( struct berval *saslname, struct berval *dn )); LDAP_SLAPD_F (int) slap_sasl_authorized LDAP_P(( + Connection *conn, struct berval *authcid, struct berval *authzid )); LDAP_SLAPD_F (int) slap_sasl_regexp_config LDAP_P(( diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index b9b23458d2..be7b1bb513 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -780,7 +780,7 @@ slap_sasl_authorize( AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) ); - rc = slap_sasl_authorized( &authcDN, &authzDN ); + rc = slap_sasl_authorized( conn, &authcDN, &authzDN ); ch_free( authcDN.bv_val ); if ( rc != LDAP_SUCCESS ) { #ifdef NEW_LOGGING @@ -887,7 +887,7 @@ slap_sasl_authorize( return SASL_NOAUTHZ; } - rc = slap_sasl_authorized( &authcDN, &authzDN ); + rc = slap_sasl_authorized(conn, &authcDN, &authzDN ); ch_free( authcDN.bv_val ); if( rc ) { #ifdef NEW_LOGGING diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index ba3b137573..22e6894bcf 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -489,8 +489,9 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn op.o_ndn = *saslname; op.o_callback = &cb; op.o_time = slap_get_time(); + op.o_do_not_cache = 1; - (*be->be_search)( be, NULL, &op, NULL, &uri.dn, + (*be->be_search)( be, conn, &op, NULL, &uri.dn, uri.scope, LDAP_DEREF_NEVER, 1, 0, filter, NULL, NULL, 1 ); @@ -542,7 +543,7 @@ static int sasl_sc_smatch( BackendDB *be, Connection *conn, Operation *o, */ static -int slap_sasl_match( struct berval *rule, struct berval *assertDN, struct berval *authc ) +int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assertDN, struct berval *authc ) { struct berval searchbase = {0, NULL}; int rc, scope; @@ -609,8 +610,9 @@ int slap_sasl_match( struct berval *rule, struct berval *assertDN, struct berval op.o_ndn = *authc; op.o_callback = &cb; op.o_time = slap_get_time(); + op.o_do_not_cache = 1; - (*be->be_search)( be, /*conn=*/NULL, &op, /*base=*/NULL, &searchbase, + (*be->be_search)( be, conn, &op, /*base=*/NULL, &searchbase, scope, /*deref=*/1, /*sizelimit=*/0, /*time=*/0, filter, /*fstr=*/NULL, /*attrs=*/NULL, /*attrsonly=*/0 ); @@ -643,7 +645,11 @@ CONCLUDED: * The DNs should not have the dn: prefix */ static int -slap_sasl_check_authz(struct berval *searchDN, struct berval *assertDN, AttributeDescription *ad, struct berval *authc) +slap_sasl_check_authz( Connection *conn, + struct berval *searchDN, + struct berval *assertDN, + AttributeDescription *ad, + struct berval *authc ) { int i, rc; BerVarray vals=NULL; @@ -664,7 +670,7 @@ slap_sasl_check_authz(struct berval *searchDN, struct berval *assertDN, Attribut /* Check if the *assertDN matches any **vals */ for( i=0; vals[i].bv_val != NULL; i++ ) { - rc = slap_sasl_match( &vals[i], assertDN, authc ); + rc = slap_sasl_match( conn, &vals[i], assertDN, authc ); if ( rc == LDAP_SUCCESS ) goto COMPLETE; } @@ -691,7 +697,8 @@ COMPLETE: * The DNs should not have the dn: prefix */ -int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN ) +int slap_sasl_authorized( Connection *conn, + struct berval *authcDN, struct berval *authzDN ) { int rc = LDAP_INAPPROPRIATE_AUTH; @@ -719,7 +726,7 @@ int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN ) /* Check source rules */ if( authz_policy & SASL_AUTHZ_TO ) { - rc = slap_sasl_check_authz( authcDN, authzDN, + rc = slap_sasl_check_authz( conn, authcDN, authzDN, slap_schema.si_ad_saslAuthzTo, authcDN ); if( rc == LDAP_SUCCESS ) { goto DONE; @@ -728,7 +735,7 @@ int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN ) /* Check destination rules */ if( authz_policy & SASL_AUTHZ_FROM ) { - rc = slap_sasl_check_authz( authzDN, authcDN, + rc = slap_sasl_check_authz( conn, authzDN, authcDN, slap_schema.si_ad_saslAuthzFrom, authcDN ); if( rc == LDAP_SUCCESS ) { goto DONE; diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 358ac63340..83456e3ecb 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1490,6 +1490,8 @@ typedef struct slap_op { volatile sig_atomic_t o_abandon; /* abandon flag */ + char o_do_not_cache; /* don't cache from this op */ + #define SLAP_NO_CONTROL 0 #define SLAP_NONCRITICAL_CONTROL 1 #define SLAP_CRITICAL_CONTROL 2