openldap ber_init will assert if the bv->bv_val is NULL

Have to ensure that all usage of ber_init in the server checks to see if
the bv->bv_val is non-NULL before using ber_init, and return the appropriate
error if it is NULL
Also fixed a problem in dna_extend_exop - would not send the ldap result to
the client in certain error conditions
Reviewed by: nhosoi (Thanks!)
Tested on: RHEL5 x86_64

12 files changed, 50 insertions, 13 deletions

diff --git a/ldap/servers/plugins/acl/aclproxy.c b/ldap/servers/plugins/acl/aclproxy.c
index 9b28489a..46eb437a 100644
--- a/ldap/servers/plugins/acl/aclproxy.c
+++ b/ldap/servers/plugins/acl/aclproxy.c
@@ -98,6 +98,10 @@ parse_LDAPProxyAuth(struct berval *spec_ber, int version, char **errtextp,
 		break;
 	}
 
+	if ( !spec_ber || !spec_ber->bv_val ) {
+		break;
+	}
+
 	/* create_LDAPProxyAuth */
     spec = (LDAPProxyAuth*)slapi_ch_calloc(1,sizeof (LDAPProxyAuth));
 	if (!spec) {
diff --git a/ldap/servers/plugins/chainingdb/cb_controls.c b/ldap/servers/plugins/chainingdb/cb_controls.c
index f6b0653a..8416c0a5 100644
--- a/ldap/servers/plugins/chainingdb/cb_controls.c
+++ b/ldap/servers/plugins/chainingdb/cb_controls.c
@@ -221,7 +221,8 @@ int cb_update_controls( Slapi_PBlock * pb,
             dCount++;
 
         } else
-            if (!strcmp(reqControls[cCount]->ldctl_oid,CB_LDAP_CONTROL_CHAIN_SERVER)) {
+            if (!strcmp(reqControls[cCount]->ldctl_oid,CB_LDAP_CONTROL_CHAIN_SERVER) &&
+                reqControls[cCount]->ldctl_value.bv_val) {
 
             /* Max hop count reached ?                 */
             /* Checked earlier by a call to cb_forward_operation()  */
diff --git a/ldap/servers/plugins/chainingdb/cb_utils.c b/ldap/servers/plugins/chainingdb/cb_utils.c
index 4878e1a8..cfa19a16 100644
--- a/ldap/servers/plugins/chainingdb/cb_utils.c
+++ b/ldap/servers/plugins/chainingdb/cb_utils.c
@@ -147,7 +147,8 @@ int cb_forward_operation(Slapi_PBlock * pb ) {
 		struct berval   *ctl_value=NULL;
 		int iscritical=0;
 
-		if (slapi_control_present(ctrls,CB_LDAP_CONTROL_CHAIN_SERVER,&ctl_value,&iscritical)) {
+		if (slapi_control_present(ctrls,CB_LDAP_CONTROL_CHAIN_SERVER,&ctl_value,&iscritical) &&
+			ctl_value && ctl_value->bv_val) {
 
 			/* Decode control data 			*/
 			/* hop           INTEGER (0 .. maxInt) 	*/
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index e7fdaa5c..fb6a54a3 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -380,6 +380,12 @@ deref_parse_ctrl_value(DerefSpecList *speclist, const struct berval *ctrlbv, int
 
     PR_ASSERT(ctrlbv && ctrlbv->bv_val && ctrlbv->bv_len && ldapcode && ldaperrtext);
 
+    if (!ctrlbv || !ctrlbv->bv_val) {
+        *ldapcode = LDAP_PROTOCOL_ERROR;
+        *ldaperrtext = "Empty deref control value";
+        return;
+    }
+
     ber = ber_init((struct berval *)ctrlbv);
 	for (tag = ber_first_element(ber, &len, &last);
          (tag != LBER_ERROR) && (tag != LBER_END_OF_SEQORSET);
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index e60f3714..5419409b 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -1602,7 +1602,7 @@ static int dna_request_range(struct configEntry *config_entry,
     }
 
     /* Parse response */
-    if (responsedata) {
+    if (responsedata && responsedata->bv_val) {
         respber = ber_init(responsedata);
         if (ber_scanf(respber, "{aa}", &lower_str, &upper_str) == LBER_ERROR) {
             ret = LDAP_PROTOCOL_ERROR;
@@ -3123,7 +3123,7 @@ static int dna_config_check_post_op(Slapi_PBlock * pb)
  ***************************************************/
 static int dna_extend_exop(Slapi_PBlock *pb)
 {
-    int ret = -1;
+    int ret = SLAPI_PLUGIN_EXTENDED_NOT_HANDLED;
     struct berval *reqdata = NULL;
     BerElement *tmp_bere = NULL;
     char *shared_dn = NULL;
@@ -3152,20 +3152,19 @@ static int dna_extend_exop(Slapi_PBlock *pb)
 
     /* Fetch the request data */
     slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &reqdata);
-    if (!reqdata) {
+    if (!reqdata || !reqdata->bv_val) {
         slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
                         "dna_extend_exop: No request data received.\n");
         goto free_and_return;
     }
 
     /* decode the exop */
-    if ((tmp_bere = ber_init(reqdata)) == NULL) {
-        ret = -1;
+    if ((reqdata->bv_val == NULL) || (tmp_bere = ber_init(reqdata)) == NULL) {
         goto free_and_return;
     }
 
     if (ber_scanf(tmp_bere, "{a}", &shared_dn) == LBER_ERROR) {
-        ret = -1;
+        ret = LDAP_PROTOCOL_ERROR;
         goto free_and_return;
     }
 
diff --git a/ldap/servers/plugins/replication/repl5_total.c b/ldap/servers/plugins/replication/repl5_total.c
index d2987cdb..99ba838a 100644
--- a/ldap/servers/plugins/replication/repl5_total.c
+++ b/ldap/servers/plugins/replication/repl5_total.c
@@ -729,7 +729,7 @@ decode_total_update_extop(Slapi_PBlock *pb, Slapi_Entry **ep)
 	if (NULL == extop_oid ||
 		((strcmp(extop_oid, REPL_NSDS50_REPLICATION_ENTRY_REQUEST_OID) != 0) && 
 		(strcmp(extop_oid, REPL_NSDS71_REPLICATION_ENTRY_REQUEST_OID) != 0)) ||
-		NULL == extop_value)
+		NULL == extop_value || NULL == extop_value->bv_val)
 	{
 		/* Bogus */
 		goto loser;
diff --git a/ldap/servers/plugins/replication/repl_controls.c b/ldap/servers/plugins/replication/repl_controls.c
index cfd980fd..980bdd89 100644
--- a/ldap/servers/plugins/replication/repl_controls.c
+++ b/ldap/servers/plugins/replication/repl_controls.c
@@ -216,7 +216,7 @@ decode_NSDS50ReplUpdateInfoControl(LDAPControl **controlsp,
 	if (slapi_control_present(controlsp, REPL_NSDS50_UPDATE_INFO_CONTROL_OID,
 	    &ctl_value, &iscritical))
 	{
-		if ((tmp_bere = ber_init(ctl_value)) == NULL)
+		if ((ctl_value->bv_val == NULL) || (tmp_bere = ber_init(ctl_value)) == NULL)
 		{
 			rc = -1;
 			goto loser;
diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c
index 527c964e..38af8ab8 100644
--- a/ldap/servers/plugins/replication/repl_extop.c
+++ b/ldap/servers/plugins/replication/repl_extop.c
@@ -342,7 +342,7 @@ decode_startrepl_extop(Slapi_PBlock *pb, char **protocol_oid, char **repl_root,
 	if (NULL == extop_oid ||
 		((strcmp(extop_oid, REPL_START_NSDS50_REPLICATION_REQUEST_OID) != 0) &&
 		(strcmp(extop_oid, REPL_START_NSDS90_REPLICATION_REQUEST_OID) != 0)) ||
-		NULL == extop_value)
+		NULL == extop_value || NULL == extop_value->bv_val)
 	{
 		/* bogus */
 		rc = -1;
@@ -478,7 +478,7 @@ decode_endrepl_extop(Slapi_PBlock *pb, char **repl_root)
 
 	if (NULL == extop_oid ||
 		strcmp(extop_oid, REPL_END_NSDS50_REPLICATION_REQUEST_OID) != 0 ||
-		NULL == extop_value)
+		NULL == extop_value || NULL == extop_value->bv_val)
 	{
 		/* bogus */
 		rc = -1;
@@ -542,7 +542,7 @@ decode_repl_ext_response(struct berval *bvdata, int *response_code,
 	PR_ASSERT(NULL != ruv_bervals);
 
 	if (NULL == bvdata || NULL == response_code || NULL == ruv_bervals ||
-		NULL == data_guid || NULL == data)
+		NULL == data_guid || NULL == data || NULL == bvdata->bv_val)
 	{
 		return_value = -1;
 	}
diff --git a/ldap/servers/plugins/replication/windows_private.c b/ldap/servers/plugins/replication/windows_private.c
index f2bf031e..9ad7681a 100644
--- a/ldap/servers/plugins/replication/windows_private.c
+++ b/ldap/servers/plugins/replication/windows_private.c
@@ -612,6 +612,12 @@ void windows_private_update_dirsync_control(const Repl_Agmt *ra,LDAPControl **co
 #endif
 			goto choke;
 		}
+		else if (!controls[i-1]->ldctl_value.bv_val) {
+#ifdef FOR_DEBUGGING
+			return_value = LDAP_CONTROL_NOT_FOUND;
+#endif
+			goto choke;
+		}
 		else
 		{
 			dirsync = slapi_dup_control( controls[i-1]);
diff --git a/ldap/servers/slapd/back-ldbm/sort.c b/ldap/servers/slapd/back-ldbm/sort.c
index 10d44170..7a2a9c97 100644
--- a/ldap/servers/slapd/back-ldbm/sort.c
+++ b/ldap/servers/slapd/back-ldbm/sort.c
@@ -299,6 +299,10 @@ int parse_sort_spec(struct berval *sort_spec_ber, sort_spec **ps)
 	char *matchrule = NULL;
 	int rc = LDAP_SUCCESS;
 
+	if (NULL == sort_spec_ber->bv_val) {
+		return LDAP_PROTOCOL_ERROR;
+	}
+
 	ber = ber_init(sort_spec_ber);
     if(ber==NULL)
     {
diff --git a/ldap/servers/slapd/back-ldbm/vlv.c b/ldap/servers/slapd/back-ldbm/vlv.c
index 163d8a64..c68ce642 100644
--- a/ldap/servers/slapd/back-ldbm/vlv.c
+++ b/ldap/servers/slapd/back-ldbm/vlv.c
@@ -1846,6 +1846,12 @@ vlv_parse_request_control( backend *be, struct berval *vlv_spec_ber,struct vlv_r
     vlvp->value.bv_len = 0;
     vlvp->value.bv_val = NULL;
 
+    if (NULL == vlv_spec_ber->bv_val)
+    {
+        return_value= LDAP_OPERATIONS_ERROR;
+        return return_value;
+    }
+
     ber = ber_init(vlv_spec_ber);
     if (ber_scanf(ber, "{ii", &vlvp->beforeCount, &vlvp->afterCount) == LBER_ERROR)
     {
diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c
index ff2e19f3..e22a52d4 100644
--- a/ldap/servers/slapd/passwd_extop.c
+++ b/ldap/servers/slapd/passwd_extop.c
@@ -527,6 +527,16 @@ passwd_modify_extop( Slapi_PBlock *pb )
 
 	/* Get the ber value of the extended operation */
 	slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
+
+	if (extop_value->bv_val == NULL)
+	{
+		/* The request field wasn't provided.  We'll
+		 * now try to determine the userid and verify
+		 * knowledge of the old password via other
+		 * means.
+		 */
+		goto parse_req_done;
+	}
 	
 	if ((ber = ber_init(extop_value)) == NULL)
 	{