1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
Assertion failure by processing search queries requesting only attributes for particular entry
Upstream ITS: #7143
Upstream commit: ef2f526 430256f 463c1fa
Resolves: #802514 (CVE-2012-1164)
diff --git a/servers/slapd/attr.c b/servers/slapd/attr.c
index 51f5075..bfc717c 100644
--- a/servers/slapd/attr.c
+++ b/servers/slapd/attr.c
@@ -232,13 +232,16 @@ attr_dup2( Attribute *tmp, Attribute *a )
if ( a->a_nvals != a->a_vals ) {
tmp->a_nvals = ch_malloc( (tmp->a_numvals + 1) * sizeof(struct berval) );
- for ( j = 0; !BER_BVISNULL( &a->a_nvals[j] ); j++ ) {
- assert( j < i );
- ber_dupbv( &tmp->a_nvals[j], &a->a_nvals[j] );
- if ( BER_BVISNULL( &tmp->a_nvals[j] ) ) break;
- /* FIXME: error? */
+ j = 0;
+ if ( i ) {
+ for ( ; !BER_BVISNULL( &a->a_nvals[j] ); j++ ) {
+ assert( j < i );
+ ber_dupbv( &tmp->a_nvals[j], &a->a_nvals[j] );
+ if ( BER_BVISNULL( &tmp->a_nvals[j] ) ) break;
+ /* FIXME: error? */
+ }
+ assert( j == i );
}
- assert( j == i );
BER_BVZERO( &tmp->a_nvals[j] );
} else {
diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
index c724be2..0c78e80 100644
--- a/servers/slapd/overlays/rwm.c
+++ b/servers/slapd/overlays/rwm.c
@@ -1276,7 +1276,13 @@ rwm_attrs( Operation *op, SlapReply *rs, Attribute** a_first, int stripEntryDN )
NULL );
if ( rc != LDAP_SUCCESS ) {
- BER_BVZERO( &(*ap)->a_nvals[i] );
+ /* FIXME: this is wrong, putting a non-normalized value
+ * into nvals. But when a proxy sends us bogus data,
+ * we still need to give it to the client, even if it
+ * violates the syntax. I.e., we don't want to silently
+ * drop things and trigger an apparent data loss.
+ */
+ ber_dupbv( &(*ap)->a_nvals[i], &(*ap)->a_vals[i] );
}
}
BER_BVZERO( &(*ap)->a_nvals[i] );
|