[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: (ITS#3419) slap_sasl_getdn() does not escape RDN value

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3419) slap_sasl_getdn() does not escape RDN value
From: lukeh@padl.com
Date: Tue, 7 Dec 2004 03:35:43 GMT
--19701020
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline


Pierangelo,

I tested the attached back-ported patch against 2.2.19 and it works
fine.

Thanks!

regards,

-- Luke

>From: Pierangelo Masarati <ando@sys-net.it>
>Subject: Re: (ITS#3419) slap_sasl_getdn() does not escape RDN value
>To: lukeh@padl.com
>Cc: openldap-its@OpenLDAP.org
>Date: Mon, 06 Dec 2004 15:18:30 +0100
>
>Luke,
>
>should be fixed in HEAD; please test.  This is something we could surely 
>backport to 2.2 if you confirm the fix works as expected.
>
>Ciao, p.
>
>
>
>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
>


--19701020
Content-Type: text/plain; name="sasl.diff"; x-unix-mode=0644
Content-Disposition: attachment; filename="sasl.diff"

Index: sasl.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/sasl.c,v
retrieving revision 1.165.2.17
diff -u -r1.165.2.17 sasl.c
--- sasl.c	12 Sep 2004 20:22:39 -0000	1.165.2.17
+++ sasl.c	7 Dec 2004 03:30:13 -0000
@@ -1792,54 +1792,74 @@
 
 	/* Username strings */
 	if( is_dn == SET_U ) {
-		char		*p;
-		struct berval	realm = BER_BVNULL, c1 = *dn;
+		/* ITS#3419: values may need escape */
+		LDAPRDN		DN[ 5 ];
+		LDAPAVA 	*RDNs[ 4 ][ 2 ];
+		LDAPAVA 	AVAs[ 4 ];
+		int		irdn;
+
+		irdn = 0;
+		DN[ irdn ] = RDNs[ irdn ];
+		RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+		AVAs[ irdn ].la_attr.bv_val = "uid";
+		AVAs[ irdn ].la_attr.bv_len = sizeof("uid") - 1;
+		AVAs[ irdn ].la_value = *dn;
+		AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+		AVAs[ irdn ].la_private = NULL;
+		RDNs[ irdn ][ 1 ] = NULL;
+
+		if ( user_realm && *user_realm ) {
+			irdn++;
+			DN[ irdn ] = RDNs[ irdn ];
+			RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+			AVAs[ irdn ].la_attr.bv_val = "cn";
+			AVAs[ irdn ].la_attr.bv_len = sizeof("cn") - 1;
+			ber_str2bv( user_realm, 0, 0, &AVAs[ irdn ].la_value );
+			AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+			AVAs[ irdn ].la_private = NULL;
+			RDNs[ irdn ][ 1 ] = NULL;
+		}
+
+		if ( mech->bv_val != NULL ) {
+			irdn++;
+			DN[ irdn ] = RDNs[ irdn ];
+			RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+			AVAs[ irdn ].la_attr.bv_val = "cn";
+			AVAs[ irdn ].la_attr.bv_len = sizeof("cn") - 1;
+			AVAs[ irdn ].la_value = *mech;
+			AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+			AVAs[ irdn ].la_private = NULL;
+			RDNs[ irdn ][ 1 ] = NULL;
+		}
+
+		irdn++;
+		DN[ irdn ] = RDNs[ irdn ];
+		RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+		AVAs[ irdn ].la_attr.bv_val = "cn";
+		AVAs[ irdn ].la_attr.bv_len = sizeof("cn") - 1;
+		AVAs[ irdn ].la_value.bv_val = "auth";
+		AVAs[ irdn ].la_value.bv_len = sizeof("auth") - 1;
+		AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+		AVAs[ irdn ].la_private = NULL;
+		RDNs[ irdn ][ 1 ] = NULL;
 
-		len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1;
+		irdn++;
+		DN[ irdn ] = NULL;
 
-		if( user_realm && *user_realm ) {
-			realm.bv_val = user_realm;
-			realm.bv_len = strlen( user_realm );
- 			len += realm.bv_len + sizeof(",cn=") - 1;
-		}
-
-		if( mech->bv_len ) {
-			len += mech->bv_len + sizeof(",cn=")-1;
-		}
-
-		/* Build the new dn */
-		dn->bv_val = sl_malloc( len+1, op->o_tmpmemctx );
-		if( dn->bv_val == NULL ) {
-#ifdef NEW_LOGGING
-			LDAP_LOG( TRANSPORT, ERR, 
-				"slap_sasl_getdn: SLAP_MALLOC failed", 0, 0, 0 );
-#else
-			Debug( LDAP_DEBUG_ANY, 
-				"slap_sasl_getdn: SLAP_MALLOC failed", 0, 0, 0 );
-#endif
-			return LDAP_OTHER;
-		}
-		p = lutil_strcopy( dn->bv_val, "uid=" );
-		p = lutil_strncopy( p, c1.bv_val, c1.bv_len );
-
-		if( realm.bv_len ) {
-			p = lutil_strcopy( p, ",cn=" );
-			p = lutil_strncopy( p, realm.bv_val, realm.bv_len );
-		}
-
-		if( mech->bv_len ) {
-			p = lutil_strcopy( p, ",cn=" );
-			p = lutil_strcopy( p, mech->bv_val );
+		rc = ldap_dn2bv_x( DN, dn, LDAP_DN_FORMAT_LDAPV3, op->o_tmpmemctx );
+		if ( rc != LDAP_SUCCESS ) {
+			dn->bv_val = NULL;
+			dn->bv_len = 0;
+			return rc;
 		}
-		p = lutil_strcopy( p, ",cn=auth" );
-		dn->bv_len = p - dn->bv_val;
 
 #ifdef NEW_LOGGING
-		LDAP_LOG( TRANSPORT, ENTRY, 
+		LDAP_LOG( TRANSPORT, ENTRY,
 			"slap_sasl_getdn: u:id converted to %s.\n", dn->bv_val, 0, 0 );
 #else
 		Debug( LDAP_DEBUG_TRACE, "slap_sasl_getdn: u:id converted to %s\n", dn->bv_val,0,0 );
 #endif
+
 	} else {
 		
 		/* Dup the DN in any case, so we don't risk 

--19701020
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline

--

--19701020--
Prev by Date: Re: (ITS#3404) sockber stack SEGVs
Next by Date: (ITS#3420) sl_realloc can overrun the slab
Index(es):
- Chronological
- Thread