andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame 0036-Bugzilla-912964-bug-in-handling-of-LDAPv3-control-da.patch

dc8c34
From 0aa523cd16f97160ab406db8958a78253f7e31bc Mon Sep 17 00:00:00 2001
dc8c34
From: Noriko Hosoi <nhosoi@redhat.com>
dc8c34
Date: Fri, 22 Feb 2013 14:40:46 -0800
dc8c34
Subject: [PATCH] Bugzilla 912964 - bug in handling of LDAPv3 control data
dc8c34
dc8c34
Bug Description:
dc8c34
If we receive an incorrect control, with non NULL bv_val but
dc8c34
bv_len=0, it can trigger a crash.  This bug occurs because
dc8c34
of a call of openldap ber_init with such incorrect control.
dc8c34
dc8c34
Fix Description:
dc8c34
Before calling ber_init, check that the control lenght is not 0.
dc8c34
dc8c34
Note: checking in the patch on behalf of "Thierry bordaz"
dc8c34
<tbordaz@redhat.com>
dc8c34
dc8c34
https://bugzilla.redhat.com/show_bug.cgi?id=913228
dc8c34
dc8c34
Reviewed by: rmeggins@redhat.com, nhosoi@redhat.com
dc8c34
dc8c34
Platforms tested: Fedora 18, RHEL 6.4 (RHDS6.4)
dc8c34
dc8c34
Flag Day: no
dc8c34
dc8c34
Doc impact: possibly document a security bug
dc8c34
---
dc8c34
 ldap/servers/plugins/chainingdb/cb_controls.c      |    6 +---
dc8c34
 ldap/servers/plugins/chainingdb/cb_utils.c         |    2 +-
dc8c34
 ldap/servers/plugins/deref/deref.c                 |    2 +-
dc8c34
 ldap/servers/plugins/dna/dna.c                     |    7 +++--
dc8c34
 ldap/servers/plugins/replication/repl5_total.c     |    6 ++--
dc8c34
 ldap/servers/plugins/replication/repl_controls.c   |    2 +-
dc8c34
 ldap/servers/plugins/replication/repl_extop.c      |   21 ++++++++++++-------
dc8c34
 ldap/servers/plugins/replication/windows_private.c |    7 ++++++
dc8c34
 ldap/servers/slapd/back-ldbm/sort.c                |    9 +++----
dc8c34
 ldap/servers/slapd/back-ldbm/vlv.c                 |    4 +-
dc8c34
 ldap/servers/slapd/passwd_extop.c                  |    2 +-
dc8c34
 ldap/servers/slapd/proxyauth.c                     |    2 +-
dc8c34
 ldap/servers/slapd/slapi-plugin.h                  |    4 +++
dc8c34
 13 files changed, 44 insertions(+), 30 deletions(-)
dc8c34
dc8c34
diff --git a/ldap/servers/plugins/chainingdb/cb_controls.c b/ldap/servers/plugins/chainingdb/cb_controls.c
dc8c34
index f079901..2a698a0 100644
dc8c34
--- a/ldap/servers/plugins/chainingdb/cb_controls.c
dc8c34
+++ b/ldap/servers/plugins/chainingdb/cb_controls.c
dc8c34
@@ -220,10 +220,8 @@ int cb_update_controls( Slapi_PBlock * pb,
dc8c34
             ctrls[dCount]=slapi_dup_control(reqControls[cCount]);
dc8c34
             dCount++;
dc8c34
 
dc8c34
-        } else
dc8c34
-            if (!strcmp(reqControls[cCount]->ldctl_oid,CB_LDAP_CONTROL_CHAIN_SERVER) &&
dc8c34
-                reqControls[cCount]->ldctl_value.bv_val) {
dc8c34
-
dc8c34
+        } else if (!strcmp(reqControls[cCount]->ldctl_oid,CB_LDAP_CONTROL_CHAIN_SERVER) &&
dc8c34
+                   BV_HAS_DATA((&(reqControls[cCount]->ldctl_value)))) {
dc8c34
             /* Max hop count reached ?                 */
dc8c34
             /* Checked earlier by a call to cb_forward_operation()  */
dc8c34
 
dc8c34
diff --git a/ldap/servers/plugins/chainingdb/cb_utils.c b/ldap/servers/plugins/chainingdb/cb_utils.c
dc8c34
index 2492226..f28f5d3 100644
dc8c34
--- a/ldap/servers/plugins/chainingdb/cb_utils.c
dc8c34
+++ b/ldap/servers/plugins/chainingdb/cb_utils.c
dc8c34
@@ -148,7 +148,7 @@ int cb_forward_operation(Slapi_PBlock * pb ) {
dc8c34
 		int iscritical=0;
dc8c34
 
dc8c34
 		if (slapi_control_present(ctrls,CB_LDAP_CONTROL_CHAIN_SERVER,&ctl_value,&iscritical) &&
dc8c34
-			ctl_value && ctl_value->bv_val) {
dc8c34
+			BV_HAS_DATA(ctl_value)) {
dc8c34
 
dc8c34
 			/* Decode control data 			*/
dc8c34
 			/* hop           INTEGER (0 .. maxInt) 	*/
dc8c34
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
dc8c34
index 7c502df..51394c8 100644
dc8c34
--- a/ldap/servers/plugins/deref/deref.c
dc8c34
+++ b/ldap/servers/plugins/deref/deref.c
dc8c34
@@ -382,7 +382,7 @@ deref_parse_ctrl_value(DerefSpecList *speclist, const struct berval *ctrlbv, int
dc8c34
 
dc8c34
     PR_ASSERT(ctrlbv && ctrlbv->bv_val && ctrlbv->bv_len && ldapcode && ldaperrtext);
dc8c34
 
dc8c34
-    if (!ctrlbv || !ctrlbv->bv_val) {
dc8c34
+    if (!BV_HAS_DATA(ctrlbv)) {
dc8c34
         *ldapcode = LDAP_PROTOCOL_ERROR;
dc8c34
         *ldaperrtext = "Empty deref control value";
dc8c34
         return;
dc8c34
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
dc8c34
index 6babe23..080e357 100644
dc8c34
--- a/ldap/servers/plugins/dna/dna.c
dc8c34
+++ b/ldap/servers/plugins/dna/dna.c
dc8c34
@@ -1668,7 +1668,7 @@ static int dna_request_range(struct configEntry *config_entry,
dc8c34
     }
dc8c34
 
dc8c34
     /* Parse response */
dc8c34
-    if (responsedata && responsedata->bv_val) {
dc8c34
+    if (BV_HAS_DATA(responsedata)) {
dc8c34
         respber = ber_init(responsedata);
dc8c34
         if (ber_scanf(respber, "{aa}", &lower_str, &upper_str) == LBER_ERROR) {
dc8c34
             ret = LDAP_PROTOCOL_ERROR;
dc8c34
@@ -3745,14 +3745,15 @@ static int dna_extend_exop(Slapi_PBlock *pb)
dc8c34
 
dc8c34
     /* Fetch the request data */
dc8c34
     slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &reqdata);
dc8c34
-    if (!reqdata || !reqdata->bv_val) {
dc8c34
+    if (!BV_HAS_DATA(reqdata)) {
dc8c34
         slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
dc8c34
                         "dna_extend_exop: No request data received.\n");
dc8c34
         goto free_and_return;
dc8c34
     }
dc8c34
 
dc8c34
     /* decode the exop */
dc8c34
-    if ((reqdata->bv_val == NULL) || (tmp_bere = ber_init(reqdata)) == NULL) {
dc8c34
+    tmp_bere = ber_init(reqdata);
dc8c34
+    if (tmp_bere == NULL) {
dc8c34
         goto free_and_return;
dc8c34
     }
dc8c34
 
dc8c34
diff --git a/ldap/servers/plugins/replication/repl5_total.c b/ldap/servers/plugins/replication/repl5_total.c
dc8c34
index 99ba838..f22246d 100644
dc8c34
--- a/ldap/servers/plugins/replication/repl5_total.c
dc8c34
+++ b/ldap/servers/plugins/replication/repl5_total.c
dc8c34
@@ -726,10 +726,10 @@ decode_total_update_extop(Slapi_PBlock *pb, Slapi_Entry **ep)
dc8c34
 	slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &extop_oid);
dc8c34
 	slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
dc8c34
 
dc8c34
-	if (NULL == extop_oid ||
dc8c34
+	if ((NULL == extop_oid) || 
dc8c34
 		((strcmp(extop_oid, REPL_NSDS50_REPLICATION_ENTRY_REQUEST_OID) != 0) && 
dc8c34
-		(strcmp(extop_oid, REPL_NSDS71_REPLICATION_ENTRY_REQUEST_OID) != 0)) ||
dc8c34
-		NULL == extop_value || NULL == extop_value->bv_val)
dc8c34
+		 (strcmp(extop_oid, REPL_NSDS71_REPLICATION_ENTRY_REQUEST_OID) != 0)) ||
dc8c34
+		!BV_HAS_DATA(extop_value))
dc8c34
 	{
dc8c34
 		/* Bogus */
dc8c34
 		goto loser;
dc8c34
diff --git a/ldap/servers/plugins/replication/repl_controls.c b/ldap/servers/plugins/replication/repl_controls.c
dc8c34
index 980bdd8..e6aeaaa 100644
dc8c34
--- a/ldap/servers/plugins/replication/repl_controls.c
dc8c34
+++ b/ldap/servers/plugins/replication/repl_controls.c
dc8c34
@@ -216,7 +216,7 @@ decode_NSDS50ReplUpdateInfoControl(LDAPControl **controlsp,
dc8c34
 	if (slapi_control_present(controlsp, REPL_NSDS50_UPDATE_INFO_CONTROL_OID,
dc8c34
 	    &ctl_value, &iscritical))
dc8c34
 	{
dc8c34
-		if ((ctl_value->bv_val == NULL) || (tmp_bere = ber_init(ctl_value)) == NULL)
dc8c34
+		if (!BV_HAS_DATA(ctl_value) || (tmp_bere = ber_init(ctl_value)) == NULL)
dc8c34
 		{
dc8c34
 			rc = -1;
dc8c34
 			goto loser;
dc8c34
diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c
dc8c34
index e842c62..68aed62 100644
dc8c34
--- a/ldap/servers/plugins/replication/repl_extop.c
dc8c34
+++ b/ldap/servers/plugins/replication/repl_extop.c
dc8c34
@@ -343,10 +343,10 @@ decode_startrepl_extop(Slapi_PBlock *pb, char **protocol_oid, char **repl_root,
dc8c34
 	slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &extop_oid);
dc8c34
 	slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
dc8c34
 
dc8c34
-	if (NULL == extop_oid ||
dc8c34
+	if ((NULL == extop_oid) ||
dc8c34
 		((strcmp(extop_oid, REPL_START_NSDS50_REPLICATION_REQUEST_OID) != 0) &&
dc8c34
-		(strcmp(extop_oid, REPL_START_NSDS90_REPLICATION_REQUEST_OID) != 0)) ||
dc8c34
-		NULL == extop_value || NULL == extop_value->bv_val)
dc8c34
+		 (strcmp(extop_oid, REPL_START_NSDS90_REPLICATION_REQUEST_OID) != 0)) ||
dc8c34
+		!BV_HAS_DATA(extop_value))
dc8c34
 	{
dc8c34
 		/* bogus */
dc8c34
 		rc = -1;
dc8c34
@@ -480,9 +480,9 @@ decode_endrepl_extop(Slapi_PBlock *pb, char **repl_root)
dc8c34
 	slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &extop_oid);
dc8c34
 	slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
dc8c34
 
dc8c34
-	if (NULL == extop_oid ||
dc8c34
-		strcmp(extop_oid, REPL_END_NSDS50_REPLICATION_REQUEST_OID) != 0 ||
dc8c34
-		NULL == extop_value || NULL == extop_value->bv_val)
dc8c34
+	if ((NULL == extop_oid) || 
dc8c34
+	    (strcmp(extop_oid, REPL_END_NSDS50_REPLICATION_REQUEST_OID) != 0) ||
dc8c34
+	    !BV_HAS_DATA(extop_value))
dc8c34
 	{
dc8c34
 		/* bogus */
dc8c34
 		rc = -1;
dc8c34
@@ -545,8 +545,8 @@ decode_repl_ext_response(struct berval *bvdata, int *response_code,
dc8c34
 	PR_ASSERT(NULL != response_code);
dc8c34
 	PR_ASSERT(NULL != ruv_bervals);
dc8c34
 
dc8c34
-	if (NULL == bvdata || NULL == response_code || NULL == ruv_bervals ||
dc8c34
-		NULL == data_guid || NULL == data || NULL == bvdata->bv_val)
dc8c34
+	if ((NULL == response_code) || (NULL == ruv_bervals) ||
dc8c34
+	    (NULL == data_guid) || (NULL == data) || !BV_HAS_DATA(bvdata))
dc8c34
 	{
dc8c34
 		return_value = -1;
dc8c34
 	}
dc8c34
@@ -1412,6 +1412,11 @@ decode_cleanruv_payload(struct berval *extop_value, char **payload)
dc8c34
 {
dc8c34
 	BerElement *tmp_bere = NULL;
dc8c34
 	int rc = 0;
dc8c34
+        
dc8c34
+	if (!BV_HAS_DATA(extop_value)) {
dc8c34
+		rc = -1;
dc8c34
+		goto free_and_return;                    
dc8c34
+	}
dc8c34
 
dc8c34
 	if ((tmp_bere = ber_init(extop_value)) == NULL){
dc8c34
 		rc = -1;
dc8c34
diff --git a/ldap/servers/plugins/replication/windows_private.c b/ldap/servers/plugins/replication/windows_private.c
dc8c34
index 355abd5..20360a3 100644
dc8c34
--- a/ldap/servers/plugins/replication/windows_private.c
dc8c34
+++ b/ldap/servers/plugins/replication/windows_private.c
dc8c34
@@ -782,6 +782,13 @@ void windows_private_update_dirsync_control(const Repl_Agmt *ra,LDAPControl **co
dc8c34
 			dirsync = slapi_dup_control( controls[i-1]);
dc8c34
 		}
dc8c34
 
dc8c34
+		if (!dirsync || !BV_HAS_DATA((&(dirsync->ldctl_value)))) {
dc8c34
+#ifdef FOR_DEBUGGING
dc8c34
+			return_value = LDAP_CONTROL_NOT_FOUND;
dc8c34
+#endif
dc8c34
+			goto choke;
dc8c34
+		}
dc8c34
+                
dc8c34
 		ber = ber_init( &dirsync->ldctl_value ) ;
dc8c34
 
dc8c34
 		if (ber_scanf( ber, "{iiO}", &hasMoreData, &maxAttributeCount, &serverCookie) == LBER_ERROR)
dc8c34
diff --git a/ldap/servers/slapd/back-ldbm/sort.c b/ldap/servers/slapd/back-ldbm/sort.c
dc8c34
index 501765c..6984467 100644
dc8c34
--- a/ldap/servers/slapd/back-ldbm/sort.c
dc8c34
+++ b/ldap/servers/slapd/back-ldbm/sort.c
dc8c34
@@ -299,15 +299,14 @@ int parse_sort_spec(struct berval *sort_spec_ber, sort_spec **ps)
dc8c34
 	char *matchrule = NULL;
dc8c34
 	int rc = LDAP_SUCCESS;
dc8c34
 
dc8c34
-	if (NULL == sort_spec_ber->bv_val) {
dc8c34
+	if (!BV_HAS_DATA(sort_spec_ber)) {
dc8c34
 		return LDAP_PROTOCOL_ERROR;
dc8c34
 	}
dc8c34
 
dc8c34
 	ber = ber_init(sort_spec_ber);
dc8c34
-    if(ber==NULL)
dc8c34
-    {
dc8c34
-        return -1;
dc8c34
-    }
dc8c34
+	if (ber == NULL) {
dc8c34
+		return -1;
dc8c34
+	}
dc8c34
 
dc8c34
 	/* Work our way along the BER, one sort spec at a time */
dc8c34
 	for ( tag = ber_first_element( ber, &len, &last ); !term_tag(tag); tag = ber_next_element( ber, &len, last )) {
dc8c34
diff --git a/ldap/servers/slapd/back-ldbm/vlv.c b/ldap/servers/slapd/back-ldbm/vlv.c
dc8c34
index 39d16bf..2c09531 100644
dc8c34
--- a/ldap/servers/slapd/back-ldbm/vlv.c
dc8c34
+++ b/ldap/servers/slapd/back-ldbm/vlv.c
dc8c34
@@ -1861,11 +1861,11 @@ vlv_parse_request_control( backend *be, struct berval *vlv_spec_ber,struct vlv_r
dc8c34
    	*/
dc8c34
     BerElement *ber = NULL;
dc8c34
     int return_value = LDAP_SUCCESS;
dc8c34
-	
dc8c34
+
dc8c34
     vlvp->value.bv_len = 0;
dc8c34
     vlvp->value.bv_val = NULL;
dc8c34
 
dc8c34
-    if (NULL == vlv_spec_ber->bv_val)
dc8c34
+    if (!BV_HAS_DATA(vlv_spec_ber))
dc8c34
     {
dc8c34
         return_value= LDAP_OPERATIONS_ERROR;
dc8c34
         return return_value;
dc8c34
diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c
dc8c34
index 3c050d6..4aebee3 100644
dc8c34
--- a/ldap/servers/slapd/passwd_extop.c
dc8c34
+++ b/ldap/servers/slapd/passwd_extop.c
dc8c34
@@ -534,7 +534,7 @@ passwd_modify_extop( Slapi_PBlock *pb )
dc8c34
 	/* Get the ber value of the extended operation */
dc8c34
 	slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
dc8c34
 
dc8c34
-	if (extop_value->bv_val == NULL)
dc8c34
+	if (!BV_HAS_DATA(extop_value))
dc8c34
 	{
dc8c34
 		/* The request field wasn't provided.  We'll
dc8c34
 		 * now try to determine the userid and verify
dc8c34
diff --git a/ldap/servers/slapd/proxyauth.c b/ldap/servers/slapd/proxyauth.c
dc8c34
index fe36cf1..562ac93 100644
dc8c34
--- a/ldap/servers/slapd/proxyauth.c
dc8c34
+++ b/ldap/servers/slapd/proxyauth.c
dc8c34
@@ -96,7 +96,7 @@ parse_LDAPProxyAuth(struct berval *spec_ber, int version, char **errtextp,
dc8c34
 		break;
dc8c34
 	}
dc8c34
 
dc8c34
-	if ( !spec_ber || !spec_ber->bv_val ) {
dc8c34
+	if (!BV_HAS_DATA(spec_ber)) {
dc8c34
 		break;
dc8c34
 	}
dc8c34
 
dc8c34
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
dc8c34
index 4962b2a..f78787e 100644
dc8c34
--- a/ldap/servers/slapd/slapi-plugin.h
dc8c34
+++ b/ldap/servers/slapd/slapi-plugin.h
dc8c34
@@ -107,6 +107,10 @@ NSPR_API(PRUint32) PR_fprintf(struct PRFileDesc* fd, const char *fmt, ...)
dc8c34
 #define BERLEN_T "u"
dc8c34
 #endif
dc8c34
 
dc8c34
+/* Common check on berval before accessing the contents. */
dc8c34
+/* bv is a struct berval *bv */
dc8c34
+#define BV_HAS_DATA(bv) ((bv != NULL) && (bv->bv_len > 0) && (bv->bv_val != NULL))
dc8c34
+
dc8c34
 /*
dc8c34
  * The slapi_attr_get_flags() routine returns a bitmap that contains one or
dc8c34
  * more of these values.
dc8c34
-- 
dc8c34
1.7.7.6
dc8c34