From 86ba589019b75b8adb63a7a0f0dbc75bfce270e1 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@totoro.usersys.redhat.com>
Date: Wed, 9 Jan 2013 13:14:17 -0800
Subject: [PATCH] Ticket #542 - Cannot dynamically set nsslapd-maxbersize

Fix description: Based on the proposal made by rmeggins@redhat.com
in the ticket #542, this patch sets maxbersize every time before
reading the client input from the socket.

If the incoming ber size is larger than maxbersize, access log logs:
[..] conn=# op=-1 fd=64 closed error 34 (Numerical result out of range) - B2
And the error log logs:
[..] connection - conn=# fd=# Incoming BER Element was too long, max
allowable is # bytes. Change the nsslapd-maxbersize attribute in
cn=config to increase.
---
 ldap/servers/slapd/connection.c |    9 +++++----
 ldap/servers/slapd/conntable.c  |    3 +--
 ldap/servers/slapd/daemon.c     |   11 +++++++----
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index d598b0b..7750bfe 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -1794,10 +1794,12 @@ get_next_from_buffer( void *buffer, size_t buffer_size, ber_len_t *lenp,
 		}
 		else if (errno == ERANGE)
 		{
+			ber_len_t maxbersize = config_get_maxbersize();
 			/* openldap does not differentiate between length == 0
 			   and length > max - all we know is that there was a
 			   problem with the length - assume too big */
 			err = SLAPD_DISCONNECT_BER_TOO_BIG;
+			log_ber_too_big_error(conn, 0, maxbersize);
 		}
 		else
 		{
@@ -1998,8 +2000,7 @@ int connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, i
 		disconnect_server( conn, conn->c_connid, -1, SLAPD_DISCONNECT_BAD_BER_TAG, EPROTO );
 		return CONN_DONE;
 	}
-	if(is_ber_too_big(conn,len))
-	{
+	if(is_ber_too_big(conn,len)) {
 		disconnect_server( conn, conn->c_connid, -1, SLAPD_DISCONNECT_BER_TOO_BIG, 0 );
 		return CONN_DONE;
 	}
@@ -2706,7 +2707,7 @@ connection_set_ssl_ssf(Connection *conn)
 static int
 is_ber_too_big(const Connection *conn, ber_len_t ber_len)
 {
-    ber_len_t maxbersize= config_get_maxbersize();
+    ber_len_t maxbersize = config_get_maxbersize();
     if(ber_len > maxbersize)
 	{
 		log_ber_too_big_error(conn, ber_len, maxbersize);
@@ -2726,7 +2727,7 @@ log_ber_too_big_error(const Connection *conn, ber_len_t ber_len,
 		ber_len_t maxbersize)
 {
 	if (0 == maxbersize) {
-		maxbersize= config_get_maxbersize();
+		maxbersize = config_get_maxbersize();
 	}
 	if (0 == ber_len) {
 		slapi_log_error( SLAPI_LOG_FATAL, "connection",
diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c
index df4f2f8..b61e5d4 100644
--- a/ldap/servers/slapd/conntable.c
+++ b/ldap/servers/slapd/conntable.c
@@ -49,7 +49,7 @@ connection_table_new(int table_size)
 {
 	Connection_Table *ct;
 	int i = 0;
-
+	ber_len_t maxbersize = config_get_maxbersize();
 
 	ct= (Connection_Table*)slapi_ch_calloc( 1, sizeof(Connection_Table) );
 	ct->size= table_size;
@@ -63,7 +63,6 @@ connection_table_new(int table_size)
 	for ( i = 0; i < table_size; i++ )
 	{
 		LBER_SOCKET invalid_socket;
-		ber_len_t maxbersize = config_get_maxbersize();
 		/* DBDB---move this out of here once everything works */
 		ct->c[i].c_sb = ber_sockbuf_alloc();
 		invalid_socket = SLAPD_INVALID_SOCKET;
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index 85052fe..e3d2009 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -2590,6 +2590,7 @@ handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, i
 	/*	struct sockaddr_in	from;*/
 	PRNetAddr from;
 	PRFileDesc *pr_clonefd = NULL;
+	ber_len_t maxbersize;
 
 	memset(&from, 0, sizeof(from)); /* reset to nulls so we can see what was set */
 	if ( (ns = accept_and_configure( tcps, pr_acceptfd, &from,
@@ -2646,14 +2647,16 @@ handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, i
 		func_pointers.lbextiofn_write = write_function;
 		func_pointers.lbextiofn_writev = NULL;
 #ifdef _WIN32
-		func_pointers.lbextiofn_socket_arg = (struct lextiof_socket_private *) ns;	
+		func_pointers.lbextiofn_socket_arg = (struct lextiof_socket_private *) ns;
 #else
-		func_pointers.lbextiofn_socket_arg = (struct lextiof_socket_private *) pr_clonefd;	
+		func_pointers.lbextiofn_socket_arg = (struct lextiof_socket_private *) pr_clonefd;
 #endif
-		ber_sockbuf_set_option( conn->c_sb,
-			LBER_SOCKBUF_OPT_EXT_IO_FNS, &func_pointers);	
+		ber_sockbuf_set_option(conn->c_sb,
+		                       LBER_SOCKBUF_OPT_EXT_IO_FNS, &func_pointers);
 	}
 #endif /* !USE_OPENLDAP */
+	maxbersize = config_get_maxbersize();
+	ber_sockbuf_ctrl( conn->c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &maxbersize );
 
 	if( secure && config_get_SSLclientAuth() != SLAPD_SSLCLIENTAUTH_OFF ) { 
 	    /* Prepare to handle the client's certificate (if any): */
-- 
1.7.7.6