Resolves: #339791

Summary: rhds71sp1 rhel3u6 - ns-slapd process dies with segmentation fault
Description: ldap_utf8prev, LDAP_UTF8PREV, and LDAP_UTF8DEC were sometimes
used without checking the returned pointer going back beyond the beginning
of the string.

3 files changed, 57 insertions, 35 deletions

diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index 1b04215c..b38150c2 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -562,7 +562,10 @@ DS_LASUserDnEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 			/* ignore trailing whitespace */
 			len = strlen(user);
 			ptr = user+len-1;
-			while(ldap_utf8isspace(ptr)){ *ptr = '\0'; LDAP_UTF8DEC(ptr); }
+			while(ptr >= user && ldap_utf8isspace(ptr)) {
+				*ptr = '\0';
+				LDAP_UTF8DEC(ptr);
+			}
 		}
 
 		/* 
@@ -806,7 +809,10 @@ DS_LASGroupDnEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 			/* ignore trailing whitespace */
 			len = strlen(groupName);
 			ptr = groupName+len-1;
-			while(ldap_utf8isspace(ptr)) { *ptr = '\0'; LDAP_UTF8DEC(ptr); }
+			while(ptr >= groupName && ldap_utf8isspace(ptr)) {
+				*ptr = '\0';
+				LDAP_UTF8DEC(ptr);
+			}
 		}
 
 		/* 
@@ -966,7 +972,10 @@ DS_LASRoleDnEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 			/* ignore trailing whitespace */
 			len = strlen(role);
 			ptr = role+len-1;
-			while(ldap_utf8isspace(ptr)) { *ptr = '\0'; LDAP_UTF8DEC(ptr); }
+			while(ptr >= role && ldap_utf8isspace(ptr)) {
+				*ptr = '\0';
+				LDAP_UTF8DEC(ptr);
+			}
 		}
 
 		/* 
@@ -1118,7 +1127,10 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 	while(ldap_utf8isspace(attrName)) LDAP_UTF8INC(attrName);
 	len = strlen(attrName);
 	ptr = attrName+len-1;
-	while(ldap_utf8isspace(ptr)) { *ptr = '\0'; LDAP_UTF8DEC(ptr); }
+	while(ptr >= attrName && ldap_utf8isspace(ptr)) {
+		*ptr = '\0';
+		LDAP_UTF8DEC(ptr);
+	}
 
 	
 	/* See if we have a  parent[2].attr" rule */
@@ -1346,7 +1358,10 @@ DS_LASAuthMethodEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 	while(ldap_utf8isspace(attr)) LDAP_UTF8INC(attr);
 	len = strlen(attr);
 	ptr = attr+len-1;
-	while(ldap_utf8isspace(ptr)) { *ptr = '\0'; LDAP_UTF8DEC(ptr); }
+	while(ptr >= attr && ldap_utf8isspace(ptr)) {
+		*ptr = '\0';
+		LDAP_UTF8DEC(ptr);
+	}
 
 	slapi_log_error( SLAPI_LOG_ACL, plugin_name, 
 				"DS_LASAuthMethodEval:authtype:%s authmethod:%s\n", 
@@ -2124,7 +2139,10 @@ DS_LASGroupDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 		while(ldap_utf8isspace(attrName)) LDAP_UTF8INC(attrName);
 		len = strlen(attrName);
 		ptr = attrName+len-1;
-		while(ldap_utf8isspace(ptr)) { *ptr = '\0'; LDAP_UTF8DEC(ptr); }
+		while(ptr >= attrName && ldap_utf8isspace(ptr)) {
+			*ptr = '\0';
+			LDAP_UTF8DEC(ptr);
+		}
 
 		slapi_log_error( SLAPI_LOG_ACL, plugin_name,"Attr:%s\n" , attrName, 0,0);
 
diff --git a/ldap/servers/plugins/acl/aclparse.c b/ldap/servers/plugins/acl/aclparse.c
index 86a60925..36ed8456 100644
--- a/ldap/servers/plugins/acl/aclparse.c
+++ b/ldap/servers/plugins/acl/aclparse.c
@@ -464,7 +464,7 @@ __aclp__sanity_check_acltxt (aci_t *aci_item, char *str)
 		char	*next;
 		next = s + 12;
 		s--;
-		while (s != str && ldap_utf8isspace(s)) LDAP_UTF8DEC(s);
+		while (s > str && ldap_utf8isspace(s)) LDAP_UTF8DEC(s);
 		if (s && *s == ';') {
 			/* We don't support authenticate stuff */
 			return ACL_INVALID_AUTHORIZATION;
@@ -1542,9 +1542,12 @@ __acl_strip_trailing_space( char *str) {
 
 	if (*str) {
 		/* ignore trailing whitespace */
-      		len = strlen(str);
-	      	ptr = str+len-1;
-		while(ldap_utf8isspace(ptr)){ *ptr = '\0'; LDAP_UTF8DEC(ptr); }
+		len = strlen(str);
+		ptr = str+len-1;
+		while(ptr >= str && ldap_utf8isspace(ptr)) {
+			*ptr = '\0';
+			LDAP_UTF8DEC(ptr);
+		}
 	}
 }
 
diff --git a/ldap/servers/plugins/syntaxes/value.c b/ldap/servers/plugins/syntaxes/value.c
index f654686b..f127b6b6 100644
--- a/ldap/servers/plugins/syntaxes/value.c
+++ b/ldap/servers/plugins/syntaxes/value.c
@@ -88,13 +88,14 @@ utf8isspace_fast( char* s )
 */
 void
 value_normalize(
-    char	*s,
-    int		syntax,
+    char    *s,
+    int     syntax,
     int     trim_spaces
 )
 {
-	char	*d;
-	int	prevspace, curspace;
+	char *head = s;
+	char *d;
+	int  prevspace, curspace;
 
 	if ( ! (syntax & SYNTAX_CIS) && ! (syntax & SYNTAX_CES) ) {
 		return;
@@ -107,10 +108,10 @@ value_normalize(
 
 	d = s;
 	if (trim_spaces) {
-	    /* strip leading blanks */
-	  while (utf8isspace_fast(s)) {
-	      LDAP_UTF8INC(s);
-	  }
+		/* strip leading blanks */
+		while (utf8isspace_fast(s)) {
+			LDAP_UTF8INC(s);
+		}
 	}
 
 	/* for int syntax, look for leading sign, then trim 0s */
@@ -167,8 +168,8 @@ value_normalize(
 
 		/* compress multiple blanks */
 		if ( prevspace && curspace ) {
-		    LDAP_UTF8INC(s);
-		    continue;
+			LDAP_UTF8INC(s);
+			continue;
 		}
 		prevspace = curspace;
 		if ( syntax & SYNTAX_CIS ) {
@@ -177,28 +178,28 @@ value_normalize(
 			s += ssz;
 			d += dsz;
 		} else {
-	            char *np;
-		    int sz;
+			char *np;
+			int sz;
 			
-		    np = ldap_utf8next(s);
-		    if (np == NULL || np == s) break;
-		    sz = np - s;
-		    memmove(d,s,sz);
-		    d += sz;
-		    s += sz;
+			np = ldap_utf8next(s);
+			if (np == NULL || np == s) break;
+			sz = np - s;
+			memmove(d,s,sz);
+			d += sz;
+			s += sz;
 		}
 	}
 	*d = '\0';
 	/* strip trailing blanks */
 	if (prevspace && trim_spaces) {
-	    char *nd;
+		char *nd;
 
-	    nd = ldap_utf8prev(d);
-	    while (nd && utf8isspace_fast(nd)) {
-	        d = nd;
-	        nd = ldap_utf8prev(d);
-		*d = '\0';
-	    }
+		nd = ldap_utf8prev(d);
+		while (nd && nd >= head && utf8isspace_fast(nd)) {
+			d = nd;
+			nd = ldap_utf8prev(d);
+			*d = '\0';
+		}
 	}
 }