diff options
| author | Noriko Hosoi <nhosoi@redhat.com> | 2010-04-27 10:31:49 -0700 |
|---|---|---|
| committer | Noriko Hosoi <nhosoi@redhat.com> | 2010-04-27 10:31:49 -0700 |
| commit | b65b3c97847edefe8e9242e5bac294dd13e73234 (patch) | |
| tree | 2859d29db58c36563dc1e6a6f7c14135674b915e | |
| parent | 3155d9ce34ca1caec53762237815e4ed7bb59da6 (diff) | |
| download | ds-b65b3c97847edefe8e9242e5bac294dd13e73234.tar.gz ds-b65b3c97847edefe8e9242e5bac294dd13e73234.tar.xz ds-b65b3c97847edefe8e9242e5bac294dd13e73234.zip | |
585905 - ACL with targattrfilters error crashes the server
https://bugzilla.redhat.com/show_bug.cgi?id=585905
Bug Description:
targattrfilters takes this format of value:
(targattrfilters="add=attr1:F1 && attr2:F2... &&
attrn:Fn,del=attr1:F1 && attr2:F2 ... && attrn:Fn")
The ACL plugin code had blindly expected the value contains
the operator "add" or "del" and '=' to concatenate the
attribute and filter pair. The plugin should have checked
the possibility that the value does not follow the format.
Fix Description:
If '=' is not included in the targattrfilters value, the
ACL parser returns ACL_SYNTAX_ERR. Also, adding a check
code for the returned pointer from strchr and strstr.
| -rw-r--r-- | ldap/servers/plugins/acl/aclparse.c | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/ldap/servers/plugins/acl/aclparse.c b/ldap/servers/plugins/acl/aclparse.c index 0c8d0fa3..80fcfa05 100644 --- a/ldap/servers/plugins/acl/aclparse.c +++ b/ldap/servers/plugins/acl/aclparse.c @@ -291,6 +291,9 @@ __aclp__parse_aci (char *str, aci_t *aci_item) } tmpstr = strchr(str, '='); + if (NULL == tmpstr) { + return ACL_SYNTAX_ERR; + } tmpstr++; __acl_strip_leading_space(&tmpstr); @@ -777,6 +780,9 @@ normalize_nextACERule: } } else if ( 0 == strncmp ( s, DS_LAS_USERDN, 6)) { p = strstr ( s, "="); + if (NULL == p) { + goto error; + } p--; if ( strncmp (p, "!=", 2) == 0) aci_item->aci_type |= ACI_CONTAIN_NOT_USERDN; @@ -840,6 +846,9 @@ normalize_nextACERule: } else if ( 0 == strncmp ( s, DS_LAS_GROUPDN, 7)) { p = strstr ( s, "="); + if (NULL == p) { + goto error; + } p--; if ( strncmp (p, "!=", 2) == 0) aci_item->aci_type |= ACI_CONTAIN_NOT_GROUPDN; @@ -860,6 +869,9 @@ normalize_nextACERule: } else if ( 0 == strncmp ( s, DS_LAS_ROLEDN, 6)) { p = strstr ( s, "="); + if (NULL == p) { + goto error; + } p--; if ( strncmp (p, "!=", 2) == 0) aci_item->aci_type |= ACI_CONTAIN_NOT_ROLEDN; @@ -1270,6 +1282,9 @@ __aclp__init_targetattr (aci_t *aci, char *attr_val) Targetattr *attr = NULL; s = strchr (attr_val, '='); + if (NULL == s) { + return ACL_SYNTAX_ERR; + } s++; __acl_strip_leading_space(&s); __acl_strip_trailing_space(s); @@ -1695,6 +1710,9 @@ static int __acl__init_targetattrfilters( aci_t *aci, char *input_str) { /* First, skip the "targetattrfilters" */ s = strchr (input_str, '='); + if (NULL == s) { + return ACL_SYNTAX_ERR; + } s++; /* skip the = */ __acl_strip_leading_space(&s); /* skip to next significant character */ __acl_strip_trailing_space(s); @@ -1720,6 +1738,9 @@ static int __acl__init_targetattrfilters( aci_t *aci, char *input_str) { */ s = strchr (str, '='); + if (NULL == s) { + return ACL_SYNTAX_ERR; + } *s = '\0'; s++; /* skip the = */ __acl_strip_leading_space(&s); /* start of the first filter list */ @@ -1769,7 +1790,10 @@ static int __acl__init_targetattrfilters( aci_t *aci, char *input_str) { if (str != NULL ){ __acl_strip_leading_space(&str); - s = strchr (str, '='); + s = strchr (str, '='); + if (NULL == s) { + return ACL_SYNTAX_ERR; + } *s = '\0'; s++; __acl_strip_trailing_space(str); |