From 7ad384d9ae77c914dc03f3b286ff77b39e43a54d Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sat, 29 Sep 2007 10:30:58 +0000
Subject: [PATCH] ITS#5159 slap_passwd_parse fix from HEAD

---
 servers/slapd/back-ldap/extended.c | 13 +++++++------
 servers/slapd/overlays/rwm.c       |  3 +++
 servers/slapd/passwd.c             | 23 +++++++++++++++++------
 3 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/servers/slapd/back-ldap/extended.c b/servers/slapd/back-ldap/extended.c
index cf3aacbb71..57379b8dfa 100644
--- a/servers/slapd/back-ldap/extended.c
+++ b/servers/slapd/back-ldap/extended.c
@@ -125,11 +125,9 @@ ldap_back_exop_passwd(
 	assert( rs->sr_ctrls == NULL );
 
 	if ( BER_BVISNULL( &ndn ) && op->ore_reqdata != NULL ) {
-		/* NOTE: most of this code is mutuated
-		 * from slap_passwd_parse(); we can't call
-		 * that function since now the request data
-		 * has been destroyed by NULL-terminating
-		 * the bervals.  Luckily enough, we only need
+		/* NOTE: most of this code is mutated
+		 * from slap_passwd_parse();
+		 * But here we only need
 		 * the first berval... */
 
 		ber_tag_t tag;
@@ -154,7 +152,7 @@ ldap_back_exop_passwd(
 
 		tag = ber_peek_tag( ber, &len );
 		if ( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
-			tag = ber_scanf( ber, "m", &tmpid );
+			tag = ber_get_stringbv( ber, &tmpid, LBER_BV_NOTERM );
 
 			if ( tag == LBER_ERROR ) {
 				return LDAP_PROTOCOL_ERROR;
@@ -162,8 +160,11 @@ ldap_back_exop_passwd(
 		}
 
 		if ( !BER_BVISEMPTY( &tmpid ) ) {
+			char idNull = tmpid.bv_val[tmpid.bv_len];
+			tmpid.bv_val[tmpid.bv_len] = '\0';
 			rs->sr_err = dnPrettyNormal( NULL, &tmpid, &dn,
 				&ndn, op->o_tmpmemctx );
+			tmpid.bv_val[tmpid.bv_len] = idNull;
 			if ( rs->sr_err != LDAP_SUCCESS ) {
 				/* should have been successfully parsed earlier! */
 				return rs->sr_err;
diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
index 88e7146b79..a6df790457 100644
--- a/servers/slapd/overlays/rwm.c
+++ b/servers/slapd/overlays/rwm.c
@@ -845,8 +845,11 @@ rwm_exop_passwd( Operation *op, SlapReply *rs )
 	}
 
 	if ( !BER_BVISNULL( &id ) ) {
+		char idNul = id.bv_val[id.bv_len];
+		id.bv_val[id.bv_len] = '\0';
 		rs->sr_err = dnPrettyNormal( NULL, &id, &op->o_req_dn,
 				&op->o_req_ndn, op->o_tmpmemctx );
+		id.bv_val[id.bv_len] = idNul;
 		if ( rs->sr_err != LDAP_SUCCESS ) {
 			rs->sr_text = "Invalid DN";
 			return rs->sr_err;
diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c
index a08bbba4b2..a287bf0356 100644
--- a/servers/slapd/passwd.c
+++ b/servers/slapd/passwd.c
@@ -53,7 +53,7 @@ int passwd_extop(
 	Modifications *ml;
 	slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
 	int i, nhash;
-	char **hashes;
+	char **hashes, idNul;
 	int rc;
 	BackendDB *op_be;
 	int freenewpw = 0;
@@ -77,6 +77,10 @@ int passwd_extop(
 	rs->sr_err = slap_passwd_parse( op->ore_reqdata, &id,
 		&qpw->rs_old, &qpw->rs_new, &rs->sr_text );
 
+	if ( !BER_BVISNULL( &id )) {
+		idNul = id.bv_val[id.bv_len];
+		id.bv_val[id.bv_len] = '\0';
+	}
 	if ( rs->sr_err == LDAP_SUCCESS && !BER_BVISEMPTY( &id ) ) {
 		Statslog( LDAP_DEBUG_STATS, "%s PASSMOD id=\"%s\"%s%s\n",
 			op->o_log_prefix, id.bv_val,
@@ -90,12 +94,15 @@ int passwd_extop(
 	}
 
 	if ( rs->sr_err != LDAP_SUCCESS ) {
+		if ( !BER_BVISNULL( &id ))
+			id.bv_val[id.bv_len] = idNul;
 		return rs->sr_err;
 	}
 
 	if ( !BER_BVISEMPTY( &id ) ) {
 		rs->sr_err = dnPrettyNormal( NULL, &id, &op->o_req_dn,
 				&op->o_req_ndn, op->o_tmpmemctx );
+		id.bv_val[id.bv_len] = idNul;
 		if ( rs->sr_err != LDAP_SUCCESS ) {
 			rs->sr_text = "Invalid DN";
 			rc = rs->sr_err;
@@ -317,6 +324,10 @@ error_return:;
 	return rc;
 }
 
+/* NOTE: The DN in *id is NOT NUL-terminated here. dnNormalize will
+ * reject it in this condition, the caller must NUL-terminate it.
+ * FIXME: should dnNormalize still be complaining about that?
+ */
 int slap_passwd_parse( struct berval *reqdata,
 	struct berval *id,
 	struct berval *oldpass,
@@ -341,9 +352,9 @@ int slap_passwd_parse( struct berval *reqdata,
 	/* ber_init2 uses reqdata directly, doesn't allocate new buffers */
 	ber_init2( ber, reqdata, 0 );
 
-	tag = ber_scanf( ber, "{" /*}*/ );
+	tag = ber_skip_tag( ber, &len );
 
-	if( tag == LBER_ERROR ) {
+	if( tag != LBER_SEQUENCE ) {
 		Debug( LDAP_DEBUG_TRACE,
 			"slap_passwd_parse: decoding error\n", 0, 0, 0 );
 		rc = LDAP_PROTOCOL_ERROR;
@@ -361,7 +372,7 @@ int slap_passwd_parse( struct berval *reqdata,
 			goto done;
 		}
 
-		tag = ber_scanf( ber, "m", id );
+		tag = ber_get_stringbv( ber, id, LBER_BV_NOTERM );
 
 		if( tag == LBER_ERROR ) {
 			Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
@@ -383,7 +394,7 @@ int slap_passwd_parse( struct berval *reqdata,
 			goto done;
 		}
 
-		tag = ber_scanf( ber, "m", oldpass );
+		tag = ber_get_stringbv( ber, oldpass, LBER_BV_NOTERM );
 
 		if( tag == LBER_ERROR ) {
 			Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
@@ -414,7 +425,7 @@ int slap_passwd_parse( struct berval *reqdata,
 			goto done;
 		}
 
-		tag = ber_scanf( ber, "m", newpass );
+		tag = ber_get_stringbv( ber, newpass, LBER_BV_NOTERM );
 
 		if( tag == LBER_ERROR ) {
 			Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW parse failed.\n",
-- 
2.39.5