Resolves: #448831

Summary: attacker can tie up CPU in regex code (comment #11)
Description: string_filter_sub always expected SLAPI_SEARCH_TIMELIMIT and
SLAPI_OPINITIATED_TIME were set in pblock, but it was not true.  Fixed to check
the container of these values first, and retrieve them only if the container is
in the pblock.	Otherwise, set -1 to timelimit (no timelimit).

1 files changed, 9 insertions, 2 deletions

diff --git a/ldap/servers/plugins/syntaxes/string.c b/ldap/servers/plugins/syntaxes/string.c
index c9477cce..7f8aefcc 100644
--- a/ldap/servers/plugins/syntaxes/string.c
+++ b/ldap/servers/plugins/syntaxes/string.c
@@ -201,11 +201,18 @@ string_filter_sub( Slapi_PBlock *pb, char *initial, char **any, char *final,
 	time_t		time_up = 0;
 	time_t		optime = 0; /* time op was initiated */
 	int		timelimit = 0; /* search timelimit */
+	Operation *op = NULL;
 
 	LDAPDebug( LDAP_DEBUG_FILTER, "=> string_filter_sub\n",
 	    0, 0, 0 );
-	slapi_pblock_get( pb, SLAPI_SEARCH_TIMELIMIT, &timelimit );
-	slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
+	slapi_pblock_get( pb, SLAPI_OPERATION, &op );
+	if (NULL != op) {
+		slapi_pblock_get( pb, SLAPI_SEARCH_TIMELIMIT, &timelimit );
+		slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
+	} else {
+		/* timelimit is not passed via pblock */
+		timelimit = -1;
+	}
 	/*
 	 * (timelimit==-1) means no time limit
 	 */