From 4f410d762b008da8e2e43e29100c2c04ff332fbb Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Fri, 1 Oct 2010 16:38:04 -0600 Subject: openldap ber_init will assert if the bv->bv_val is NULL Have to ensure that all usage of ber_init in the server checks to see if the bv->bv_val is non-NULL before using ber_init, and return the appropriate error if it is NULL Also fixed a problem in dna_extend_exop - would not send the ldap result to the client in certain error conditions Reviewed by: nhosoi (Thanks!) Tested on: RHEL5 x86_64 --- ldap/servers/plugins/acl/aclproxy.c | 4 ++++ ldap/servers/plugins/chainingdb/cb_controls.c | 3 ++- ldap/servers/plugins/chainingdb/cb_utils.c | 3 ++- ldap/servers/plugins/deref/deref.c | 6 ++++++ ldap/servers/plugins/dna/dna.c | 11 +++++------ ldap/servers/plugins/replication/repl5_total.c | 2 +- ldap/servers/plugins/replication/repl_controls.c | 2 +- ldap/servers/plugins/replication/repl_extop.c | 6 +++--- ldap/servers/plugins/replication/windows_private.c | 6 ++++++ ldap/servers/slapd/back-ldbm/sort.c | 4 ++++ ldap/servers/slapd/back-ldbm/vlv.c | 6 ++++++ ldap/servers/slapd/passwd_extop.c | 10 ++++++++++ 12 files changed, 50 insertions(+), 13 deletions(-) diff --git a/ldap/servers/plugins/acl/aclproxy.c b/ldap/servers/plugins/acl/aclproxy.c index 9b28489a..46eb437a 100644 --- a/ldap/servers/plugins/acl/aclproxy.c +++ b/ldap/servers/plugins/acl/aclproxy.c @@ -98,6 +98,10 @@ parse_LDAPProxyAuth(struct berval *spec_ber, int version, char **errtextp, break; } + if ( !spec_ber || !spec_ber->bv_val ) { + break; + } + /* create_LDAPProxyAuth */ spec = (LDAPProxyAuth*)slapi_ch_calloc(1,sizeof (LDAPProxyAuth)); if (!spec) { diff --git a/ldap/servers/plugins/chainingdb/cb_controls.c b/ldap/servers/plugins/chainingdb/cb_controls.c index f6b0653a..8416c0a5 100644 --- a/ldap/servers/plugins/chainingdb/cb_controls.c +++ b/ldap/servers/plugins/chainingdb/cb_controls.c @@ -221,7 +221,8 @@ int cb_update_controls( Slapi_PBlock * pb, dCount++; } else - if (!strcmp(reqControls[cCount]->ldctl_oid,CB_LDAP_CONTROL_CHAIN_SERVER)) { + if (!strcmp(reqControls[cCount]->ldctl_oid,CB_LDAP_CONTROL_CHAIN_SERVER) && + reqControls[cCount]->ldctl_value.bv_val) { /* Max hop count reached ? */ /* Checked earlier by a call to cb_forward_operation() */ diff --git a/ldap/servers/plugins/chainingdb/cb_utils.c b/ldap/servers/plugins/chainingdb/cb_utils.c index 4878e1a8..cfa19a16 100644 --- a/ldap/servers/plugins/chainingdb/cb_utils.c +++ b/ldap/servers/plugins/chainingdb/cb_utils.c @@ -147,7 +147,8 @@ int cb_forward_operation(Slapi_PBlock * pb ) { struct berval *ctl_value=NULL; int iscritical=0; - if (slapi_control_present(ctrls,CB_LDAP_CONTROL_CHAIN_SERVER,&ctl_value,&iscritical)) { + if (slapi_control_present(ctrls,CB_LDAP_CONTROL_CHAIN_SERVER,&ctl_value,&iscritical) && + ctl_value && ctl_value->bv_val) { /* Decode control data */ /* hop INTEGER (0 .. maxInt) */ diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c index e7fdaa5c..fb6a54a3 100644 --- a/ldap/servers/plugins/deref/deref.c +++ b/ldap/servers/plugins/deref/deref.c @@ -380,6 +380,12 @@ deref_parse_ctrl_value(DerefSpecList *speclist, const struct berval *ctrlbv, int PR_ASSERT(ctrlbv && ctrlbv->bv_val && ctrlbv->bv_len && ldapcode && ldaperrtext); + if (!ctrlbv || !ctrlbv->bv_val) { + *ldapcode = LDAP_PROTOCOL_ERROR; + *ldaperrtext = "Empty deref control value"; + return; + } + ber = ber_init((struct berval *)ctrlbv); for (tag = ber_first_element(ber, &len, &last); (tag != LBER_ERROR) && (tag != LBER_END_OF_SEQORSET); diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c index e60f3714..5419409b 100644 --- a/ldap/servers/plugins/dna/dna.c +++ b/ldap/servers/plugins/dna/dna.c @@ -1602,7 +1602,7 @@ static int dna_request_range(struct configEntry *config_entry, } /* Parse response */ - if (responsedata) { + if (responsedata && responsedata->bv_val) { respber = ber_init(responsedata); if (ber_scanf(respber, "{aa}", &lower_str, &upper_str) == LBER_ERROR) { ret = LDAP_PROTOCOL_ERROR; @@ -3123,7 +3123,7 @@ static int dna_config_check_post_op(Slapi_PBlock * pb) ***************************************************/ static int dna_extend_exop(Slapi_PBlock *pb) { - int ret = -1; + int ret = SLAPI_PLUGIN_EXTENDED_NOT_HANDLED; struct berval *reqdata = NULL; BerElement *tmp_bere = NULL; char *shared_dn = NULL; @@ -3152,20 +3152,19 @@ static int dna_extend_exop(Slapi_PBlock *pb) /* Fetch the request data */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &reqdata); - if (!reqdata) { + if (!reqdata || !reqdata->bv_val) { slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, "dna_extend_exop: No request data received.\n"); goto free_and_return; } /* decode the exop */ - if ((tmp_bere = ber_init(reqdata)) == NULL) { - ret = -1; + if ((reqdata->bv_val == NULL) || (tmp_bere = ber_init(reqdata)) == NULL) { goto free_and_return; } if (ber_scanf(tmp_bere, "{a}", &shared_dn) == LBER_ERROR) { - ret = -1; + ret = LDAP_PROTOCOL_ERROR; goto free_and_return; } diff --git a/ldap/servers/plugins/replication/repl5_total.c b/ldap/servers/plugins/replication/repl5_total.c index d2987cdb..99ba838a 100644 --- a/ldap/servers/plugins/replication/repl5_total.c +++ b/ldap/servers/plugins/replication/repl5_total.c @@ -729,7 +729,7 @@ decode_total_update_extop(Slapi_PBlock *pb, Slapi_Entry **ep) if (NULL == extop_oid || ((strcmp(extop_oid, REPL_NSDS50_REPLICATION_ENTRY_REQUEST_OID) != 0) && (strcmp(extop_oid, REPL_NSDS71_REPLICATION_ENTRY_REQUEST_OID) != 0)) || - NULL == extop_value) + NULL == extop_value || NULL == extop_value->bv_val) { /* Bogus */ goto loser; diff --git a/ldap/servers/plugins/replication/repl_controls.c b/ldap/servers/plugins/replication/repl_controls.c index cfd980fd..980bdd89 100644 --- a/ldap/servers/plugins/replication/repl_controls.c +++ b/ldap/servers/plugins/replication/repl_controls.c @@ -216,7 +216,7 @@ decode_NSDS50ReplUpdateInfoControl(LDAPControl **controlsp, if (slapi_control_present(controlsp, REPL_NSDS50_UPDATE_INFO_CONTROL_OID, &ctl_value, &iscritical)) { - if ((tmp_bere = ber_init(ctl_value)) == NULL) + if ((ctl_value->bv_val == NULL) || (tmp_bere = ber_init(ctl_value)) == NULL) { rc = -1; goto loser; diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c index 527c964e..38af8ab8 100644 --- a/ldap/servers/plugins/replication/repl_extop.c +++ b/ldap/servers/plugins/replication/repl_extop.c @@ -342,7 +342,7 @@ decode_startrepl_extop(Slapi_PBlock *pb, char **protocol_oid, char **repl_root, if (NULL == extop_oid || ((strcmp(extop_oid, REPL_START_NSDS50_REPLICATION_REQUEST_OID) != 0) && (strcmp(extop_oid, REPL_START_NSDS90_REPLICATION_REQUEST_OID) != 0)) || - NULL == extop_value) + NULL == extop_value || NULL == extop_value->bv_val) { /* bogus */ rc = -1; @@ -478,7 +478,7 @@ decode_endrepl_extop(Slapi_PBlock *pb, char **repl_root) if (NULL == extop_oid || strcmp(extop_oid, REPL_END_NSDS50_REPLICATION_REQUEST_OID) != 0 || - NULL == extop_value) + NULL == extop_value || NULL == extop_value->bv_val) { /* bogus */ rc = -1; @@ -542,7 +542,7 @@ decode_repl_ext_response(struct berval *bvdata, int *response_code, PR_ASSERT(NULL != ruv_bervals); if (NULL == bvdata || NULL == response_code || NULL == ruv_bervals || - NULL == data_guid || NULL == data) + NULL == data_guid || NULL == data || NULL == bvdata->bv_val) { return_value = -1; } diff --git a/ldap/servers/plugins/replication/windows_private.c b/ldap/servers/plugins/replication/windows_private.c index f2bf031e..9ad7681a 100644 --- a/ldap/servers/plugins/replication/windows_private.c +++ b/ldap/servers/plugins/replication/windows_private.c @@ -609,6 +609,12 @@ void windows_private_update_dirsync_control(const Repl_Agmt *ra,LDAPControl **co { #ifdef FOR_DEBUGGING return_value = LDAP_CONTROL_NOT_FOUND; +#endif + goto choke; + } + else if (!controls[i-1]->ldctl_value.bv_val) { +#ifdef FOR_DEBUGGING + return_value = LDAP_CONTROL_NOT_FOUND; #endif goto choke; } diff --git a/ldap/servers/slapd/back-ldbm/sort.c b/ldap/servers/slapd/back-ldbm/sort.c index 10d44170..7a2a9c97 100644 --- a/ldap/servers/slapd/back-ldbm/sort.c +++ b/ldap/servers/slapd/back-ldbm/sort.c @@ -299,6 +299,10 @@ int parse_sort_spec(struct berval *sort_spec_ber, sort_spec **ps) char *matchrule = NULL; int rc = LDAP_SUCCESS; + if (NULL == sort_spec_ber->bv_val) { + return LDAP_PROTOCOL_ERROR; + } + ber = ber_init(sort_spec_ber); if(ber==NULL) { diff --git a/ldap/servers/slapd/back-ldbm/vlv.c b/ldap/servers/slapd/back-ldbm/vlv.c index 163d8a64..c68ce642 100644 --- a/ldap/servers/slapd/back-ldbm/vlv.c +++ b/ldap/servers/slapd/back-ldbm/vlv.c @@ -1846,6 +1846,12 @@ vlv_parse_request_control( backend *be, struct berval *vlv_spec_ber,struct vlv_r vlvp->value.bv_len = 0; vlvp->value.bv_val = NULL; + if (NULL == vlv_spec_ber->bv_val) + { + return_value= LDAP_OPERATIONS_ERROR; + return return_value; + } + ber = ber_init(vlv_spec_ber); if (ber_scanf(ber, "{ii", &vlvp->beforeCount, &vlvp->afterCount) == LBER_ERROR) { diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c index ff2e19f3..e22a52d4 100644 --- a/ldap/servers/slapd/passwd_extop.c +++ b/ldap/servers/slapd/passwd_extop.c @@ -527,6 +527,16 @@ passwd_modify_extop( Slapi_PBlock *pb ) /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); + + if (extop_value->bv_val == NULL) + { + /* The request field wasn't provided. We'll + * now try to determine the userid and verify + * knowledge of the old password via other + * means. + */ + goto parse_req_done; + } if ((ber = ber_init(extop_value)) == NULL) { -- cgit