From 16b2868a1314660f00afadaaf94a73e0346203e9 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Mon, 1 Jul 2013 14:25:16 -0400 Subject: [PATCH] CVE-2013-2219 ACLs inoperative in some search scenarios --- ldap/servers/plugins/acl/acl.c | 6 +++++- ldap/servers/plugins/acl/acl.h | 1 + ldap/servers/plugins/acl/aclutil.c | 11 +++++++++++ ldap/servers/slapd/filterentry.c | 14 ++++++++++---- 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c index 3389404..4516cf8 100644 --- a/ldap/servers/plugins/acl/acl.c +++ b/ldap/servers/plugins/acl/acl.c @@ -2136,7 +2136,11 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int * * calculated from the targetdn and stored judiciously there */ matched_val = (char *)acl_ht_lookup( aclpb->aclpb_macro_ht, - (PLHashNumber)aci->aci_index); + (PLHashNumber)aci->aci_index); + } else { + /* new entry, remove macro evaluation from hash table */ + acl_ht_remove_and_free( aclpb->aclpb_macro_ht, + (PLHashNumber)aci->aci_index); } if ( matched_val == NULL && (aclpb->aclpb_res_type & (ACLPB_NEW_ENTRY | ACLPB_EFFECTIVE_RIGHTS))) { diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h index 28c38e7..e2b04c3 100644 --- a/ldap/servers/plugins/acl/acl.h +++ b/ldap/servers/plugins/acl/acl.h @@ -928,6 +928,7 @@ int aclutil_str_append_ext(char **dest, size_t *dlen, const char *src, size_t sl /* acl hash table functions */ void acl_ht_add_and_freeOld(acl_ht_t * acl_ht, PLHashNumber key,char *value); +void acl_ht_remove_and_free(acl_ht_t * acl_ht, PLHashNumber key); acl_ht_t *acl_ht_new(void); void acl_ht_free_all_entries_and_values( acl_ht_t *acl_ht); void acl_ht_remove( acl_ht_t *acl_ht, PLHashNumber key); diff --git a/ldap/servers/plugins/acl/aclutil.c b/ldap/servers/plugins/acl/aclutil.c index 7097540..77ec35f 100644 --- a/ldap/servers/plugins/acl/aclutil.c +++ b/ldap/servers/plugins/acl/aclutil.c @@ -1396,6 +1396,17 @@ void acl_ht_add_and_freeOld(acl_ht_t * acl_ht, PL_HashTableAdd( acl_ht, (const void *)pkey, value); } +void acl_ht_remove_and_free(acl_ht_t * acl_ht, + PLHashNumber key){ + char *old_value = NULL; + uintptr_t pkey = (uintptr_t)key; + + if ( (old_value = (char *)acl_ht_lookup( acl_ht, key)) != NULL ) { + acl_ht_remove( acl_ht, key); + slapi_ch_free_string(&old_value); + } +} + /* * Return a new acl_ht_t * */ diff --git a/ldap/servers/slapd/filterentry.c b/ldap/servers/slapd/filterentry.c index 549bac7..880169a 100644 --- a/ldap/servers/slapd/filterentry.c +++ b/ldap/servers/slapd/filterentry.c @@ -1037,8 +1037,11 @@ vattr_test_filter_list( for ( f = flist; f != NULL; f = f->f_next ) { if ( slapi_vattr_filter_test_ext_internal( pb, e, f, verify_access, only_check_access, access_check_done ) != 0 ) { /* optimize AND evaluation */ - if ( ftype == LDAP_FILTER_AND ) { - /* one false is failure */ + if ( ftype == LDAP_FILTER_AND || verify_access) { + /* one false is failure + * for AND all components need to match + * and for AND and OR access to ALL filter attributes is required + */ nomatch = 1; break; } @@ -1046,8 +1049,11 @@ vattr_test_filter_list( nomatch = 0; /* optimize OR evaluation too */ - if ( ftype == LDAP_FILTER_OR ) { - /* only one needs to be true */ + if ( ftype == LDAP_FILTER_OR && !verify_access) { + /* access to all atributes needs to be evaluated + * for filter matching + * only one needs to be true + */ break; } } -- 1.7.1