From eb581e43e741d6a0d8b745597ad6445a60e66033 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Sun, 28 Jul 2002 07:27:55 +0000
Subject: [PATCH] Fix for: 	SASL regex segmentation faults with group
 based acls (ITS#1978) based, in part, by patch submitted by Simon Wilkinson
 <simon@sxw.org.uk>.

---
 servers/slapd/backend.c    |  2 +-
 servers/slapd/proto-slap.h |  1 +
 servers/slapd/sasl.c       |  4 ++--
 servers/slapd/saslauthz.c  | 23 +++++++++++++++--------
 servers/slapd/slap.h       |  2 ++
 5 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 8fb2e9a522..3389fceddd 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -1046,7 +1046,7 @@ backend_group(
 			target, gr_ndn, op_ndn,
 			group_oc, group_at );
 		
-		if (op->o_tag != LDAP_REQ_BIND) {
+		if ( op->o_tag != LDAP_REQ_BIND && !op->o_do_not_cache ) {
 			g = ch_malloc(sizeof(GroupAssertion) + gr_ndn->bv_len);
 			g->ga_be = be;
 			g->ga_oc = group_oc;
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 6503d5322e..583b09e5b1 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -852,6 +852,7 @@ LDAP_SLAPD_F (void) slap_sasl2dn LDAP_P((
 	struct berval *saslname,
 	struct berval *dn ));
 LDAP_SLAPD_F (int) slap_sasl_authorized LDAP_P((
+	Connection *conn,
 	struct berval *authcid,
 	struct berval *authzid ));
 LDAP_SLAPD_F (int) slap_sasl_regexp_config LDAP_P((
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index b9b23458d2..be7b1bb513 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -780,7 +780,7 @@ slap_sasl_authorize(
 	
 	AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
 
-	rc = slap_sasl_authorized( &authcDN, &authzDN );
+	rc = slap_sasl_authorized( conn, &authcDN, &authzDN );
 	ch_free( authcDN.bv_val );
 	if ( rc != LDAP_SUCCESS ) {
 #ifdef NEW_LOGGING
@@ -887,7 +887,7 @@ slap_sasl_authorize(
 		return SASL_NOAUTHZ;
 	}
 
-	rc = slap_sasl_authorized( &authcDN, &authzDN );
+	rc = slap_sasl_authorized(conn, &authcDN, &authzDN );
 	ch_free( authcDN.bv_val );
 	if( rc ) {
 #ifdef NEW_LOGGING
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index ba3b137573..22e6894bcf 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -489,8 +489,9 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn
 	op.o_ndn = *saslname;
 	op.o_callback = &cb;
 	op.o_time = slap_get_time();
+	op.o_do_not_cache = 1;
 
-	(*be->be_search)( be, NULL, &op, NULL, &uri.dn,
+	(*be->be_search)( be, conn, &op, NULL, &uri.dn,
 		uri.scope, LDAP_DEREF_NEVER, 1, 0,
 		filter, NULL, NULL, 1 );
 	
@@ -542,7 +543,7 @@ static int sasl_sc_smatch( BackendDB *be, Connection *conn, Operation *o,
  */
 
 static
-int slap_sasl_match( struct berval *rule, struct berval *assertDN, struct berval *authc )
+int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assertDN, struct berval *authc )
 {
 	struct berval searchbase = {0, NULL};
 	int rc, scope;
@@ -609,8 +610,9 @@ int slap_sasl_match( struct berval *rule, struct berval *assertDN, struct berval
 	op.o_ndn = *authc;
 	op.o_callback = &cb;
 	op.o_time = slap_get_time();
+	op.o_do_not_cache = 1;
 
-	(*be->be_search)( be, /*conn=*/NULL, &op, /*base=*/NULL, &searchbase,
+	(*be->be_search)( be, conn, &op, /*base=*/NULL, &searchbase,
 	   scope, /*deref=*/1, /*sizelimit=*/0, /*time=*/0, filter, /*fstr=*/NULL,
 	   /*attrs=*/NULL, /*attrsonly=*/0 );
 
@@ -643,7 +645,11 @@ CONCLUDED:
  * The DNs should not have the dn: prefix
  */
 static int
-slap_sasl_check_authz(struct berval *searchDN, struct berval *assertDN, AttributeDescription *ad, struct berval *authc)
+slap_sasl_check_authz( Connection *conn,
+	struct berval *searchDN,
+	struct berval *assertDN,
+	AttributeDescription *ad,
+	struct berval *authc )
 {
 	int i, rc;
 	BerVarray vals=NULL;
@@ -664,7 +670,7 @@ slap_sasl_check_authz(struct berval *searchDN, struct berval *assertDN, Attribut
 
 	/* Check if the *assertDN matches any **vals */
 	for( i=0; vals[i].bv_val != NULL; i++ ) {
-		rc = slap_sasl_match( &vals[i], assertDN, authc );
+		rc = slap_sasl_match( conn, &vals[i], assertDN, authc );
 		if ( rc == LDAP_SUCCESS )
 			goto COMPLETE;
 	}
@@ -691,7 +697,8 @@ COMPLETE:
  * The DNs should not have the dn: prefix
  */
 
-int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN )
+int slap_sasl_authorized( Connection *conn,
+	struct berval *authcDN, struct berval *authzDN )
 {
 	int rc = LDAP_INAPPROPRIATE_AUTH;
 
@@ -719,7 +726,7 @@ int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN )
 
 	/* Check source rules */
 	if( authz_policy & SASL_AUTHZ_TO ) {
-		rc = slap_sasl_check_authz( authcDN, authzDN,
+		rc = slap_sasl_check_authz( conn, authcDN, authzDN,
 			slap_schema.si_ad_saslAuthzTo, authcDN );
 		if( rc == LDAP_SUCCESS ) {
 			goto DONE;
@@ -728,7 +735,7 @@ int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN )
 
 	/* Check destination rules */
 	if( authz_policy & SASL_AUTHZ_FROM ) {
-		rc = slap_sasl_check_authz( authzDN, authcDN,
+		rc = slap_sasl_check_authz( conn, authzDN, authcDN,
 			slap_schema.si_ad_saslAuthzFrom, authcDN );
 		if( rc == LDAP_SUCCESS ) {
 			goto DONE;
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 358ac63340..83456e3ecb 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1490,6 +1490,8 @@ typedef struct slap_op {
 
 	volatile sig_atomic_t o_abandon;	/* abandon flag */
 
+	char o_do_not_cache;	/* don't cache from this op */
+
 #define SLAP_NO_CONTROL 0
 #define SLAP_NONCRITICAL_CONTROL 1
 #define SLAP_CRITICAL_CONTROL 2
-- 
2.39.2