[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bug: openldapaci (slapd crashes if a dn contains '#')



Note that to be considered for inclusion in OpenLDAP
SOftware, patches MUST be submitted using the Issue
Tracking System as discussed in the contributing
guidelines <http://www.openldap.org/devel/contributing.html>.

Regards, Kurt

At 07:03 PM 8/12/2004, Harald Jung wrote:
>Hello,
>
>problem :
>if an user cn (aka access-id) contains a '#' and this user got access by an 
>openldapaci definition, then slapd crashes after ' <<< dnNormalize:',
>
>fix:
>the whole dn after the last '#' in an openldapaci will be used now
>
>------snipp-------
>--- acl.c.orig  Thu Aug 12 07:47:00 2004
>+++ acl.c       Thu Aug 12 07:52:48 2004
>@@ -1701,6 +1701,7 @@
>        struct berval *list,
>        int ix,
>        char sep,
>+        int  getall,
>        struct berval *bv )
> {
>        int len;
>@@ -1725,10 +1726,16 @@
>                return(0);
> 
>        bv->bv_val = p;
>-       while (--len >= 0 && *p != sep) {
>-               bv->bv_len++;
>-               p++;
>-       }
>+        if (getall) {
>+                bv->bv_len = len ;
>+                p += len ;
>+        }
>+        else {
>+                while (--len >= 0 && *p != sep) {
>+                       bv->bv_len++;
>+                       p++;
>+               }
>+        }
>        while (bv->bv_len > 0 && *--p == ' ')
>                bv->bv_len--;
>        return(bv->bv_len);
>@@ -1784,11 +1791,11 @@
>                AttributeDescription *desc = NULL;
> 
>                /* format of string is "entry/setAttrName" */
>-               if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
>+               if (aci_get_part(subj, 0, '/', 0, &subjdn) < 0) {
>                        return(0);
>                }
> 
>-               if ( aci_get_part(subj, 1, '/', &setat) < 0 ) {
>+               if ( aci_get_part(subj, 1, '/', 1, &setat) < 0 ) {
>                        setat = aci_bv_set_attr;
>                }
> 
>@@ -1835,7 +1842,7 @@
>        int i;
> 
>        ACL_INIT(mask);
>-       for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
>+       for (i = 0; aci_get_part(list, i, ',',0, &bv) >= 0; i++) {
>                if (bv.bv_len <= 0)
>                        continue;
>                switch (*bv.bv_val) {
>@@ -1880,9 +1887,9 @@
>        struct berval bv, left, right;
>        int i;
> 
>-       for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
>-               if (aci_get_part(&bv, 0, '=', &left) < 0
>-                       || aci_get_part(&bv, 1, '=', &right) < 0)
>+       for (i = 0; aci_get_part(list, i, ',',0, &bv) >= 0; i++) {
>+               if (aci_get_part(&bv, 0, '=',0, &left) < 0
>+                       || aci_get_part(&bv, 1, '=',1, &right) < 0)
>                {
>                        if (ber_bvstrcasecmp(attr, &bv) == 0)
>                                return(1);
>@@ -1905,7 +1912,7 @@
>                                 *
>                                 * Ideally, this would allow r.e. matches.
>                                 */
>-                               if (aci_get_part(&right, 0, '*', &left) < 0
>+                               if (aci_get_part(&right, 0, '*',0, &left) < 0
>                                        || right.bv_len <= left.bv_len)
>                                {
>                                        if (ber_bvstrcasecmp(val, &right) == 
>0)
>@@ -1932,10 +1939,10 @@
> 
>        /* loop through each rights/attr pair, skip first part (action) */
>        ACL_INIT(mask);
>-       for (i = 1; aci_get_part(list, i + 1, ';', &bv) >= 0; i += 2) {
>+       for (i = 1; aci_get_part(list, i + 1, ';',0, &bv) >= 0; i += 2) {
>                if (aci_list_has_attr(&bv, attr, val) == 0)
>                        continue;
>-               if (aci_get_part(list, i, ';', &bv) < 0)
>+               if (aci_get_part(list, i, ';',0, &bv) < 0)
>                        continue;
>                mask |= aci_list_map_rights(&bv);
>        }
>@@ -1963,8 +1970,8 @@
>        ACL_INIT(*grant);
>        ACL_INIT(*deny);
>        /* loop through each permissions clause */
>-       for (i = 0; aci_get_part(list, i, '$', &perm) >= 0; i++) {
>-               if (aci_get_part(&perm, 0, ';', &actn) < 0)
>+       for (i = 0; aci_get_part(list, i, '$', 0,&perm) >= 0; i++) {
>+               if (aci_get_part(&perm, 0, ';', 0,&actn) < 0)
>                        continue;
>                if (ber_bvstrcasecmp( &aci_bv_grant, &actn ) == 0) {
>                        mask = grant;
>@@ -2000,15 +2007,15 @@
>        int rc;
> 
>        /* format of string is "group/objectClassValue/groupAttrName" */
>-       if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
>+       if (aci_get_part(subj, 0, '/',0, &subjdn) < 0) {
>                return(0);
>        }
> 
>-       if (aci_get_part(subj, 1, '/', &grpoc) < 0) {
>+       if (aci_get_part(subj, 1, '/', 0,&grpoc) < 0) {
>                grpoc = *defgrpoc;
>        }
> 
>-       if (aci_get_part(subj, 2, '/', &grpat) < 0) {
>+       if (aci_get_part(subj, 2, '/', 0,&grpat) < 0) {
>                grpat = *defgrpat;
>        }
> 
>@@ -2068,22 +2075,22 @@
>           For now, this routine only supports scope=entry.
>         */
>        /* check that the aci has all 5 components */
>-       if (aci_get_part(aci, 4, '#', NULL) < 0)
>+       if (aci_get_part(aci, 4, '#',1, NULL) < 0)
>                return(0);
> 
>        /* check that the aci family is supported */
>-       if (aci_get_part(aci, 0, '#', &bv) < 0)
>+       if (aci_get_part(aci, 0, '#', 0, &bv) < 0)
>                return(0);
> 
>        /* check that the scope matches */
>-       if (aci_get_part(aci, 1, '#', &bv) < 0
>+       if (aci_get_part(aci, 1, '#', 0, &bv) < 0
>                || ber_bvstrcasecmp( scope, &bv ) != 0)
>        {
>                return(0);
>        }
> 
>        /* get the list of permissions clauses, bail if empty */
>-       if (aci_get_part(aci, 2, '#', &perms) <= 0)
>+       if (aci_get_part(aci, 2, '#', 0, &perms) <= 0)
>                return(0);
> 
>        /* check if any permissions allow desired access */
>@@ -2091,10 +2098,10 @@
>                return(0);
> 
>        /* see if we have a DN match */
>-       if (aci_get_part(aci, 3, '#', &bv) < 0)
>+       if (aci_get_part(aci, 3, '#', 0, &bv) < 0)
>                return(0);
> 
>-       if (aci_get_part(aci, 4, '#', &sdn) < 0)
>+       if (aci_get_part(aci, 4, '#', 1, &sdn) < 0)
>                return(0);
> 
>        if (ber_bvstrcasecmp( &aci_bv_access_id, &bv ) == 0) {
>
>------snipp-------
>
>best regards 
>Harald Jung