From 5cd816f4eb2fc09a59cc53267c731d91badcae97 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sat, 15 Sep 2007 03:08:32 +0000
Subject: [PATCH] ITS#5138 don't scan past the sequence of attributes

---
 servers/slapd/back-ldap/search.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c
index 4c4f078fb1..047bee5d39 100644
--- a/servers/slapd/back-ldap/search.c
+++ b/servers/slapd/back-ldap/search.c
@@ -588,12 +588,14 @@ ldap_build_entry(
 	Attribute	*attr, **attrp;
 	const char	*text;
 	int		last;
+	char *lastb;
+	ber_len_t len;
 
 	/* safe assumptions ... */
 	assert( ent != NULL );
 	BER_BVZERO( &ent->e_bv );
 
-	if ( ber_scanf( &ber, "{m{", bdn ) == LBER_ERROR ) {
+	if ( ber_scanf( &ber, "{m", bdn ) == LBER_ERROR ) {
 		return LDAP_DECODING_ERROR;
 	}
 
@@ -608,14 +610,18 @@ ldap_build_entry(
 	 * change, should we massage them as well?
 	 */
 	if ( dnPrettyNormal( NULL, bdn, &ent->e_name, &ent->e_nname,
-		op->o_tmpmemctx ) != LDAP_SUCCESS )
-	{
+		op->o_tmpmemctx ) != LDAP_SUCCESS ) {
 		return LDAP_INVALID_DN_SYNTAX;
 	}
 
 	attrp = &ent->e_attrs;
 
-	while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) {
+	if ( ber_first_element( &ber, &len, &lastb ) != LBER_SEQUENCE ) {
+		return LDAP_DECODING_ERROR;
+	}
+
+	while ( ber_next_element( &ber, &len, lastb ) == LBER_SEQUENCE &&
+		ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) {
 		int				i;
 		slap_syntax_validate_func	*validate;
 		slap_syntax_transform_func	*pretty;
-- 
2.39.5