[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8244) back-ldap entry_get is wrong

To: openldap-its@OpenLDAP.org
Subject: (ITS#8244) back-ldap entry_get is wrong
From: hyc@openldap.org
Date: Mon, 14 Sep 2015 04:41:57 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Howard Chu
Version: 2.4
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (78.155.236.74)
Submitted by: hyc


The be_entry_get() entry point is only used for internal operations, not
client-initiated operations. Currently it propagates client-provided controls
through, but they don't belong there.

If be_entry_get is invoked due to an ACL evaluation, and the original client
operation was a syncrepl search, and the remote server honors the syncrepl
control, then this query may hang because ldap_back_entry_get() doesn't expect
to handle any Intermediate responses. Worse, if the control requested
RefreshAndPersist, then additional responses may pile up on the session as the
remote server sends persist updates.

Prev by Date: Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability
Next by Date: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?
Index(es):
- Chronological
- Thread