From 0a6e00c60b4dba9a721b7dc0193f960145658cee Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Sun, 12 Dec 2010 04:58:15 +0000
Subject: [PATCH] ITS#6693

---
 CHANGES              |  1 +
 servers/slapd/acl.c  | 10 ++++++----
 servers/slapd/slap.h |  3 ++-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index f8fde1e813..72f41f4676 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,7 @@ OpenLDAP 2.4.24 Engineering
 	Fixed liblutil getpass prompts (ITS#6702)
 	Fixed ldapsearch segfault with deref (ITS#6638)
 	Fixed slapd acl parsing overflow (ITS#6611)
+	Fixed slapd when first acl is value dependent (ITS#6693)
 	Fixed slapd modify to return actual error (ITS#6581)
 	Fixed slapd syncrepl reuse of presence list (ITS#6707)
 	Fixed slapd-bdb entry cache delete failure (ITS#6577)
diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index a1d52492b6..8ea26c1345 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -220,7 +220,7 @@ slap_access_allowed(
 		state = &acl_state;
 	if ( state->as_desc == desc &&
 		state->as_access == access &&
-		state->as_vd_acl != NULL )
+		state->as_vd_acl_present )
 	{
 		a = state->as_vd_acl;
 		count = state->as_vd_acl_count;
@@ -405,7 +405,7 @@ access_allowed_mask(
 		if ( state->as_desc == desc &&
 			state->as_access == access &&
 			state->as_result != -1 &&
-			state->as_vd_acl == NULL )
+			!state->as_vd_acl_present )
 			{
 			Debug( LDAP_DEBUG_ACL,
 				"=> access_allowed: result was in cache (%s)\n",
@@ -615,7 +615,8 @@ slap_acl_get(
 				continue;
 			}
 
-			if ( state->as_vd_acl == NULL ) {
+			if ( !state->as_vd_acl_present ) {
+				state->as_vd_acl_present = 1;
 				state->as_vd_acl = prev;
 				state->as_vd_acl_count = *count - 1;
 				ACL_PRIV_ASSIGN ( state->as_vd_mask, *mask );
@@ -714,7 +715,8 @@ slap_acl_get(
  * Record value-dependent access control state
  */
 #define ACL_RECORD_VALUE_STATE do { \
-		if( state && state->as_vd_acl == NULL ) { \
+		if( state && !state->as_vd_acl_present ) { \
+			state->as_vd_acl_present = 1; \
 			state->as_vd_acl = a; \
 			state->as_vd_acl_count = count; \
 			ACL_PRIV_ASSIGN( state->as_vd_mask, *mask ); \
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 12ed166cce..d16f3c8d8e 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1542,6 +1542,7 @@ typedef struct AccessControlState {
 
 	/* Value dependent acl where processing can restart */
 	AccessControl  *as_vd_acl;
+	int as_vd_acl_present;
 	int as_vd_acl_count;
 	slap_mask_t		as_vd_mask;
 
@@ -1552,7 +1553,7 @@ typedef struct AccessControlState {
 	/* True if started to process frontend ACLs */
 	int as_fe_done;
 } AccessControlState;
-#define ACL_STATE_INIT { NULL, ACL_NONE, NULL, 0, ACL_PRIV_NONE, -1, 0 }
+#define ACL_STATE_INIT { NULL, ACL_NONE, NULL, 0, 0, ACL_PRIV_NONE, -1, 0 }
 
 typedef struct AclRegexMatches {        
 	int dn_count;
-- 
2.39.5