From 16b2868a1314660f00afadaaf94a73e0346203e9 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 1 Jul 2013 14:25:16 -0400
Subject: [PATCH] CVE-2013-2219 ACLs inoperative in some search scenarios

---
 ldap/servers/plugins/acl/acl.c     |    6 +++++-
 ldap/servers/plugins/acl/acl.h     |    1 +
 ldap/servers/plugins/acl/aclutil.c |   11 +++++++++++
 ldap/servers/slapd/filterentry.c   |   14 ++++++++++----
 4 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index 3389404..4516cf8 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -2136,7 +2136,11 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int *
 			 * calculated from the targetdn and stored judiciously there
 			 */
 			matched_val = (char *)acl_ht_lookup( aclpb->aclpb_macro_ht,
-										(PLHashNumber)aci->aci_index);
+								(PLHashNumber)aci->aci_index);
+		} else {
+			/* new entry, remove macro evaluation from hash table */
+			acl_ht_remove_and_free( aclpb->aclpb_macro_ht,
+							(PLHashNumber)aci->aci_index);
 		}
 		if ( matched_val == NULL &&
 			(aclpb->aclpb_res_type & (ACLPB_NEW_ENTRY | ACLPB_EFFECTIVE_RIGHTS))) {
diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
index 28c38e7..e2b04c3 100644
--- a/ldap/servers/plugins/acl/acl.h
+++ b/ldap/servers/plugins/acl/acl.h
@@ -928,6 +928,7 @@ int aclutil_str_append_ext(char **dest, size_t *dlen, const char *src, size_t sl
 
 /* acl hash table functions */
 void acl_ht_add_and_freeOld(acl_ht_t * acl_ht, PLHashNumber key,char *value);
+void acl_ht_remove_and_free(acl_ht_t * acl_ht, PLHashNumber key);
 acl_ht_t *acl_ht_new(void);
 void acl_ht_free_all_entries_and_values( acl_ht_t *acl_ht);
 void acl_ht_remove( acl_ht_t *acl_ht, PLHashNumber key);
diff --git a/ldap/servers/plugins/acl/aclutil.c b/ldap/servers/plugins/acl/aclutil.c
index 7097540..77ec35f 100644
--- a/ldap/servers/plugins/acl/aclutil.c
+++ b/ldap/servers/plugins/acl/aclutil.c
@@ -1396,6 +1396,17 @@ void acl_ht_add_and_freeOld(acl_ht_t * acl_ht,
 	PL_HashTableAdd( acl_ht, (const void *)pkey, value);
 }
 
+void acl_ht_remove_and_free(acl_ht_t * acl_ht,
+					PLHashNumber key){
+	char *old_value = NULL;	
+	uintptr_t pkey = (uintptr_t)key;
+
+	if ( (old_value = (char *)acl_ht_lookup( acl_ht, key)) != NULL ) {
+		acl_ht_remove( acl_ht, key);
+		slapi_ch_free_string(&old_value);
+	}
+}
+
 /*
  * Return a new acl_ht_t *
 */
diff --git a/ldap/servers/slapd/filterentry.c b/ldap/servers/slapd/filterentry.c
index 549bac7..880169a 100644
--- a/ldap/servers/slapd/filterentry.c
+++ b/ldap/servers/slapd/filterentry.c
@@ -1037,8 +1037,11 @@ vattr_test_filter_list(
 	for ( f = flist; f != NULL; f = f->f_next ) {
 		if ( slapi_vattr_filter_test_ext_internal( pb, e, f, verify_access, only_check_access, access_check_done ) != 0 ) {
 			/* optimize AND evaluation */
-			if ( ftype == LDAP_FILTER_AND ) {
-				/* one false is failure */
+			if ( ftype == LDAP_FILTER_AND || verify_access) {
+				/* one false is failure
+				 * for AND all components need to match 
+				 * and for AND and OR access to ALL filter attributes is required
+				 */
 				nomatch = 1;
 				break;
 			}
@@ -1046,8 +1049,11 @@ vattr_test_filter_list(
 			nomatch = 0;
 
 			/* optimize OR evaluation too */
-			if ( ftype == LDAP_FILTER_OR ) {
-				/* only one needs to be true */
+			if ( ftype == LDAP_FILTER_OR && !verify_access) {
+				/* access to all atributes needs to be evaluated
+				 * for filter matching
+				 * only one needs to be true 
+				 */
 				break;
 			}
 		}
-- 
1.7.1