(ITS#3578) Client referral limit not working for V3 referrals

[ipuleston@sonicwall.com]

Full_Name: Ian Puleston
Version: 2.2.17
OS: VxWorks
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (216.217.36.130)


Note that this was encountered in 2.2.17 but the code in question
(libldap/request.c) has not changed between version 2.2.17 and 2.2.23.

I had a bug (now fixed) in my LDAP client implementation that was causing the
new request to be sent back to the same address after a referral, which resulted
in a repeat referral, provoking recursive calls to ldap_chase_v3referrals().
These should have been stopped by the referral counter going over the limit of 5
(gopts->ldo_refhoplimit = LDAP_DEFAULT_REFHOPLIMIT). However, they did not stop
and it continued to recurse until it blew its stack and the system crashed.

The problem appears to be in the call to function ldap_send_server_request()
from ldap_chase_v3referrals(). In ldap_send_server_request() the request's
lr_parentcnt is set to one greater that the lr_parentcnt in the parent
request(parentreq). That would work if the parent was the preceding request each
time, with each subsequent request getting a count one greater than the last.
That is the case when ldap_send_server_request() is called from
ldap_chase_referrals(), but not when it is called from
ldap_chase_v3referrals().

ldap_chase_v3referrals() sets origreq to the original (first) request and passes
that, rather than the prevous request, to ldap_send_server_request() as
parentreq. Hence the lr_parentcnt in parentreq is always 0 for V3 referrals, and
so the lr_parentcnt in the new request is always 1.

To fix it I made the following change in ldap_send_server_request() which should
work for both ldap_chase_referrals() and ldap_chase_v3referrals():

Change:
		lr->lr_parentcnt = parentreq->lr_parentcnt + 1;
To:
		lr->lr_parentcnt = ++parentreq->lr_parentcnt;