[Date Prev][Date Next] [Chronological] [Thread] [Top]

bug: openldapaci (slapd crashes if a dn contains '#')



Hello,

problem :
if an user cn (aka access-id) contains a '#' and this user got access by an 
openldapaci definition, then slapd crashes after ' <<< dnNormalize:',

fix:
the whole dn after the last '#' in an openldapaci will be used now

------snipp-------
--- acl.c.orig	Thu Aug 12 07:47:00 2004
+++ acl.c	Thu Aug 12 07:52:48 2004
@@ -1701,6 +1701,7 @@
 	struct berval *list,
 	int ix,
 	char sep,
+        int  getall,
 	struct berval *bv )
 {
 	int len;
@@ -1725,10 +1726,16 @@
 		return(0);
 
 	bv->bv_val = p;
-	while (--len >= 0 && *p != sep) {
-		bv->bv_len++;
-		p++;
-	}
+        if (getall) {
+                bv->bv_len = len ;
+                p += len ;
+        }
+        else {
+                while (--len >= 0 && *p != sep) {
+        		bv->bv_len++;
+        		p++;
+        	}
+        }
 	while (bv->bv_len > 0 && *--p == ' ')
 		bv->bv_len--;
 	return(bv->bv_len);
@@ -1784,11 +1791,11 @@
 		AttributeDescription *desc = NULL;
 
 		/* format of string is "entry/setAttrName" */
-		if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
+		if (aci_get_part(subj, 0, '/', 0, &subjdn) < 0) {
 			return(0);
 		}
 
-		if ( aci_get_part(subj, 1, '/', &setat) < 0 ) {
+		if ( aci_get_part(subj, 1, '/', 1, &setat) < 0 ) {
 			setat = aci_bv_set_attr;
 		}
 
@@ -1835,7 +1842,7 @@
 	int i;
 
 	ACL_INIT(mask);
-	for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
+	for (i = 0; aci_get_part(list, i, ',',0, &bv) >= 0; i++) {
 		if (bv.bv_len <= 0)
 			continue;
 		switch (*bv.bv_val) {
@@ -1880,9 +1887,9 @@
 	struct berval bv, left, right;
 	int i;
 
-	for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
-		if (aci_get_part(&bv, 0, '=', &left) < 0
-			|| aci_get_part(&bv, 1, '=', &right) < 0)
+	for (i = 0; aci_get_part(list, i, ',',0, &bv) >= 0; i++) {
+		if (aci_get_part(&bv, 0, '=',0, &left) < 0
+			|| aci_get_part(&bv, 1, '=',1, &right) < 0)
 		{
 			if (ber_bvstrcasecmp(attr, &bv) == 0)
 				return(1);
@@ -1905,7 +1912,7 @@
 				*
 				* Ideally, this would allow r.e. matches.
 				*/
-				if (aci_get_part(&right, 0, '*', &left) < 0
+				if (aci_get_part(&right, 0, '*',0, &left) < 0
 					|| right.bv_len <= left.bv_len)
 				{
 					if (ber_bvstrcasecmp(val, &right) == 0)
@@ -1932,10 +1939,10 @@
 
 	/* loop through each rights/attr pair, skip first part (action) */
 	ACL_INIT(mask);
-	for (i = 1; aci_get_part(list, i + 1, ';', &bv) >= 0; i += 2) {
+	for (i = 1; aci_get_part(list, i + 1, ';',0, &bv) >= 0; i += 2) {
 		if (aci_list_has_attr(&bv, attr, val) == 0)
 			continue;
-		if (aci_get_part(list, i, ';', &bv) < 0)
+		if (aci_get_part(list, i, ';',0, &bv) < 0)
 			continue;
 		mask |= aci_list_map_rights(&bv);
 	}
@@ -1963,8 +1970,8 @@
 	ACL_INIT(*grant);
 	ACL_INIT(*deny);
 	/* loop through each permissions clause */
-	for (i = 0; aci_get_part(list, i, '$', &perm) >= 0; i++) {
-		if (aci_get_part(&perm, 0, ';', &actn) < 0)
+	for (i = 0; aci_get_part(list, i, '$', 0,&perm) >= 0; i++) {
+		if (aci_get_part(&perm, 0, ';', 0,&actn) < 0)
 			continue;
 		if (ber_bvstrcasecmp( &aci_bv_grant, &actn ) == 0) {
 			mask = grant;
@@ -2000,15 +2007,15 @@
 	int rc;
 
 	/* format of string is "group/objectClassValue/groupAttrName" */
-	if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
+	if (aci_get_part(subj, 0, '/',0, &subjdn) < 0) {
 		return(0);
 	}
 
-	if (aci_get_part(subj, 1, '/', &grpoc) < 0) {
+	if (aci_get_part(subj, 1, '/', 0,&grpoc) < 0) {
 		grpoc = *defgrpoc;
 	}
 
-	if (aci_get_part(subj, 2, '/', &grpat) < 0) {
+	if (aci_get_part(subj, 2, '/', 0,&grpat) < 0) {
 		grpat = *defgrpat;
 	}
 
@@ -2068,22 +2075,22 @@
 	   For now, this routine only supports scope=entry.
 	*/
 	/* check that the aci has all 5 components */
-	if (aci_get_part(aci, 4, '#', NULL) < 0)
+	if (aci_get_part(aci, 4, '#',1, NULL) < 0)
 		return(0);
 
 	/* check that the aci family is supported */
-	if (aci_get_part(aci, 0, '#', &bv) < 0)
+	if (aci_get_part(aci, 0, '#', 0, &bv) < 0)
 		return(0);
 
 	/* check that the scope matches */
-	if (aci_get_part(aci, 1, '#', &bv) < 0
+	if (aci_get_part(aci, 1, '#', 0, &bv) < 0
 		|| ber_bvstrcasecmp( scope, &bv ) != 0)
 	{
 		return(0);
 	}
 
 	/* get the list of permissions clauses, bail if empty */
-	if (aci_get_part(aci, 2, '#', &perms) <= 0)
+	if (aci_get_part(aci, 2, '#', 0, &perms) <= 0)
 		return(0);
 
 	/* check if any permissions allow desired access */
@@ -2091,10 +2098,10 @@
 		return(0);
 
 	/* see if we have a DN match */
-	if (aci_get_part(aci, 3, '#', &bv) < 0)
+	if (aci_get_part(aci, 3, '#', 0, &bv) < 0)
 		return(0);
 
-	if (aci_get_part(aci, 4, '#', &sdn) < 0)
+	if (aci_get_part(aci, 4, '#', 1, &sdn) < 0)
 		return(0);
 
 	if (ber_bvstrcasecmp( &aci_bv_access_id, &bv ) == 0) {

------snipp-------

best regards 
Harald Jung

--- acl.c.orig	Thu Aug 12 07:47:00 2004
+++ acl.c	Thu Aug 12 07:52:48 2004
@@ -1701,6 +1701,7 @@
 	struct berval *list,
 	int ix,
 	char sep,
+        int  getall,
 	struct berval *bv )
 {
 	int len;
@@ -1725,10 +1726,16 @@
 		return(0);
 
 	bv->bv_val = p;
-	while (--len >= 0 && *p != sep) {
-		bv->bv_len++;
-		p++;
-	}
+        if (getall) {
+                bv->bv_len = len ;
+                p += len ;
+        }
+        else {
+                while (--len >= 0 && *p != sep) {
+        		bv->bv_len++;
+        		p++;
+        	}
+        }
 	while (bv->bv_len > 0 && *--p == ' ')
 		bv->bv_len--;
 	return(bv->bv_len);
@@ -1784,11 +1791,11 @@
 		AttributeDescription *desc = NULL;
 
 		/* format of string is "entry/setAttrName" */
-		if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
+		if (aci_get_part(subj, 0, '/', 0, &subjdn) < 0) {
 			return(0);
 		}
 
-		if ( aci_get_part(subj, 1, '/', &setat) < 0 ) {
+		if ( aci_get_part(subj, 1, '/', 1, &setat) < 0 ) {
 			setat = aci_bv_set_attr;
 		}
 
@@ -1835,7 +1842,7 @@
 	int i;
 
 	ACL_INIT(mask);
-	for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
+	for (i = 0; aci_get_part(list, i, ',',0, &bv) >= 0; i++) {
 		if (bv.bv_len <= 0)
 			continue;
 		switch (*bv.bv_val) {
@@ -1880,9 +1887,9 @@
 	struct berval bv, left, right;
 	int i;
 
-	for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
-		if (aci_get_part(&bv, 0, '=', &left) < 0
-			|| aci_get_part(&bv, 1, '=', &right) < 0)
+	for (i = 0; aci_get_part(list, i, ',',0, &bv) >= 0; i++) {
+		if (aci_get_part(&bv, 0, '=',0, &left) < 0
+			|| aci_get_part(&bv, 1, '=',1, &right) < 0)
 		{
 			if (ber_bvstrcasecmp(attr, &bv) == 0)
 				return(1);
@@ -1905,7 +1912,7 @@
 				*
 				* Ideally, this would allow r.e. matches.
 				*/
-				if (aci_get_part(&right, 0, '*', &left) < 0
+				if (aci_get_part(&right, 0, '*',0, &left) < 0
 					|| right.bv_len <= left.bv_len)
 				{
 					if (ber_bvstrcasecmp(val, &right) == 0)
@@ -1932,10 +1939,10 @@
 
 	/* loop through each rights/attr pair, skip first part (action) */
 	ACL_INIT(mask);
-	for (i = 1; aci_get_part(list, i + 1, ';', &bv) >= 0; i += 2) {
+	for (i = 1; aci_get_part(list, i + 1, ';',0, &bv) >= 0; i += 2) {
 		if (aci_list_has_attr(&bv, attr, val) == 0)
 			continue;
-		if (aci_get_part(list, i, ';', &bv) < 0)
+		if (aci_get_part(list, i, ';',0, &bv) < 0)
 			continue;
 		mask |= aci_list_map_rights(&bv);
 	}
@@ -1963,8 +1970,8 @@
 	ACL_INIT(*grant);
 	ACL_INIT(*deny);
 	/* loop through each permissions clause */
-	for (i = 0; aci_get_part(list, i, '$', &perm) >= 0; i++) {
-		if (aci_get_part(&perm, 0, ';', &actn) < 0)
+	for (i = 0; aci_get_part(list, i, '$', 0,&perm) >= 0; i++) {
+		if (aci_get_part(&perm, 0, ';', 0,&actn) < 0)
 			continue;
 		if (ber_bvstrcasecmp( &aci_bv_grant, &actn ) == 0) {
 			mask = grant;
@@ -2000,15 +2007,15 @@
 	int rc;
 
 	/* format of string is "group/objectClassValue/groupAttrName" */
-	if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
+	if (aci_get_part(subj, 0, '/',0, &subjdn) < 0) {
 		return(0);
 	}
 
-	if (aci_get_part(subj, 1, '/', &grpoc) < 0) {
+	if (aci_get_part(subj, 1, '/', 0,&grpoc) < 0) {
 		grpoc = *defgrpoc;
 	}
 
-	if (aci_get_part(subj, 2, '/', &grpat) < 0) {
+	if (aci_get_part(subj, 2, '/', 0,&grpat) < 0) {
 		grpat = *defgrpat;
 	}
 
@@ -2068,22 +2075,22 @@
 	   For now, this routine only supports scope=entry.
 	*/
 	/* check that the aci has all 5 components */
-	if (aci_get_part(aci, 4, '#', NULL) < 0)
+	if (aci_get_part(aci, 4, '#',1, NULL) < 0)
 		return(0);
 
 	/* check that the aci family is supported */
-	if (aci_get_part(aci, 0, '#', &bv) < 0)
+	if (aci_get_part(aci, 0, '#', 0, &bv) < 0)
 		return(0);
 
 	/* check that the scope matches */
-	if (aci_get_part(aci, 1, '#', &bv) < 0
+	if (aci_get_part(aci, 1, '#', 0, &bv) < 0
 		|| ber_bvstrcasecmp( scope, &bv ) != 0)
 	{
 		return(0);
 	}
 
 	/* get the list of permissions clauses, bail if empty */
-	if (aci_get_part(aci, 2, '#', &perms) <= 0)
+	if (aci_get_part(aci, 2, '#', 0, &perms) <= 0)
 		return(0);
 
 	/* check if any permissions allow desired access */
@@ -2091,10 +2098,10 @@
 		return(0);
 
 	/* see if we have a DN match */
-	if (aci_get_part(aci, 3, '#', &bv) < 0)
+	if (aci_get_part(aci, 3, '#', 0, &bv) < 0)
 		return(0);
 
-	if (aci_get_part(aci, 4, '#', &sdn) < 0)
+	if (aci_get_part(aci, 4, '#', 1, &sdn) < 0)
 		return(0);
 
 	if (ber_bvstrcasecmp( &aci_bv_access_id, &bv ) == 0) {