summaryrefslogtreecommitdiffstats
path: root/main/openldap/openldap-cve-assertion-processing-search-queries.patch
blob: 1848830045faaff47ba04da429734b71498a87d0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Assertion failure by processing search queries requesting only attributes for particular entry

Upstream ITS: #7143
Upstream commit: ef2f526 430256f 463c1fa
Resolves: #802514 (CVE-2012-1164)

diff --git a/servers/slapd/attr.c b/servers/slapd/attr.c
index 51f5075..bfc717c 100644
--- a/servers/slapd/attr.c
+++ b/servers/slapd/attr.c
@@ -232,13 +232,16 @@ attr_dup2( Attribute *tmp, Attribute *a )
 		if ( a->a_nvals != a->a_vals ) {
 
 			tmp->a_nvals = ch_malloc( (tmp->a_numvals + 1) * sizeof(struct berval) );
-			for ( j = 0; !BER_BVISNULL( &a->a_nvals[j] ); j++ ) {
-				assert( j < i );
-				ber_dupbv( &tmp->a_nvals[j], &a->a_nvals[j] );
-				if ( BER_BVISNULL( &tmp->a_nvals[j] ) ) break;
-				/* FIXME: error? */
+			j = 0;
+			if ( i ) {
+				for ( ; !BER_BVISNULL( &a->a_nvals[j] ); j++ ) {
+					assert( j < i );
+					ber_dupbv( &tmp->a_nvals[j], &a->a_nvals[j] );
+					if ( BER_BVISNULL( &tmp->a_nvals[j] ) ) break;
+					/* FIXME: error? */
+				}
+				assert( j == i );
 			}
-			assert( j == i );
 			BER_BVZERO( &tmp->a_nvals[j] );
 
 		} else {
diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
index c724be2..0c78e80 100644
--- a/servers/slapd/overlays/rwm.c
+++ b/servers/slapd/overlays/rwm.c
@@ -1276,7 +1276,13 @@ rwm_attrs( Operation *op, SlapReply *rs, Attribute** a_first, int stripEntryDN )
 								NULL );
 
 							if ( rc != LDAP_SUCCESS ) {
-								BER_BVZERO( &(*ap)->a_nvals[i] );
+								/* FIXME: this is wrong, putting a non-normalized value
+								 * into nvals. But when a proxy sends us bogus data,
+								 * we still need to give it to the client, even if it
+								 * violates the syntax. I.e., we don't want to silently
+								 * drop things and trigger an apparent data loss.
+								 */
+								ber_dupbv( &(*ap)->a_nvals[i], &(*ap)->a_vals[i] );
 							}
 						}
 						BER_BVZERO( &(*ap)->a_nvals[i] );