[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: certificateExactMatch: The (hopefully) final fix.
If you would like your patch considered for inclusion in
OpenLDAP Software, please submit it using the Issue
Tracking System. Thanks, Kurt
At 01:43 AM 12/17/2002, Mark Ruijter wrote:
>Kurt D. Zeilenga wrote:
>
>
>Okay. Let's fix that. Let's also fix the extensible matching
>problem (which is the only way the rule can be used with the
>schema as defined on the Standard Track).
>
>
>Kurt,
>
>Hereby the fix for the extensible matching problem.
>
>The patch however includes more. Openldap with certificateExactMatch enabled will coredump when an incorrect search
>filter is specified.
>
>Example:
>usercertificate="56" or usercertificate=" $"
>The server only coredumps when certificateExactMatch is activated in the core.schema and the extensible matching rule is fixed.
>
>The bug is in serial_and_issuer_parse where some things we're not checked.
>I hope you aprove on this patch.
>
>Grtz,
>
>Mark Ruijter
>
>diff -urN openldap-2.1.9a/servers/slapd/schema_init.c openldap-2.1.9/servers/slapd/schema_init.c
>--- openldap-2.1.9a/servers/slapd/schema_init.c Tue Nov 26 19:26:19 2002
>+++ openldap-2.1.9/servers/slapd/schema_init.c Mon Dec 16 23:08:17 2002
>@@ -3731,15 +3731,21 @@
> ;
> if ( p > end )
> return LDAP_INVALID_SYNTAX;
>-
> /* p now points at the $ sign, now use begin and end to delimit the
> serial number */
> while (ASCII_SPACE(*begin))
> begin++;
> end = p-1;
>+
>+ if ( end <= begin)
>+ return LDAP_INVALID_SYNTAX;
>+
> while (ASCII_SPACE(*end))
> end--;
>
>+ if ( p == end )
>+ return LDAP_INVALID_SYNTAX;
>+
> bv.bv_len = end-begin+1;
> bv.bv_val = begin;
> ber_dupbv(serial, &bv);
>@@ -3796,9 +3802,10 @@
>
> X509_free(xcert);
>
>- serial_and_issuer_parse(assertedValue,
>+ ret = serial_and_issuer_parse(assertedValue,
> &asserted_serial,
> &asserted_issuer_dn);
>+ if ( ret != LDAP_SUCCESS ) return(ret);
>
> ret = integerMatch(
> matchp,
>@@ -3925,12 +3932,13 @@
> BerVarray *keysp )
> {
> BerVarray keys;
>+ int ret;
> struct berval asserted_serial;
>
>- serial_and_issuer_parse(assertedValue,
>+ ret = serial_and_issuer_parse(assertedValue,
> &asserted_serial,
> NULL);
>-
>+ if ( ret != LDAP_SUCCESS ) return(ret);
> keys = ch_malloc( sizeof( struct berval ) * 2 );
> integerNormalize( syntax, &asserted_serial, &keys[0] );
> keys[1].bv_val = NULL;
>@@ -4408,9 +4416,10 @@
> * Chadwick in private mail.
> */
> {"( 1.2.826.0.1.3344810.7.1 DESC 'Serial Number and Issuer' )",
>- 0, NULL, NULL, NULL},
>+ SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL, NULL},
> #endif
>
>+
> /* OpenLDAP Experimental Syntaxes */
> #ifdef SLAPD_ACI_ENABLED
> {"( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )",
>@@ -4433,7 +4442,7 @@
>
> #ifdef HAVE_TLS
> char *certificateExactMatchSyntaxes[] = {
>- "1.3.6.1.4.1.1466.115.121.1.8" /* certificate */,
>+ "1.3.6.1.4.1.1466.115.121.1.8" /* certificate */,
> NULL
> };
> #endif
>