packages/openldap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 2.4.50

Browse Source
This commit is contained in:
yixiangzhike 2020-06-29 20:27:01 +08:00
parent deb708834b
commit 49c24465bc
35 changed files with 898 additions and 1362 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
0001-openldap-bugfix-make-test.patch
View File

@ -1,95 +0,0 @@
From c88b4c85db310ecd0f2f5bb02478cc56f5590d53 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Wed, 3 Oct 2018 20:28:54 +0000
Subject: [PATCH] Update test044 to catch ITS#8923
DTS/AR:
reason:
---
openldap-2.4.46/tests/scripts/test044-dynlist | 30 +++++++++++++++++++++++++++
openldap-2.4.46/tests/scripts/defines.sh | 1 +
openldap-2.4.46/tests/scripts/test044-dynlist | 8 ++++----
3 file changed, 35 insertions(+), 4 deletions(-)
diff --git a/tests/scripts/test044-dynlist b/tests/scripts/test044-dynlist
index 07b65c5..4c6390e 100755
--- a/tests/scripts/test044-dynlist
+++ b/tests/scripts/test044-dynlist
@@ -468,6 +468,36 @@ case $RC in
esac
echo "" >> $SEARCHOUT
+CMPDN="$BADBJORNSDN"
+echo "Testing list compare (should return FALSE)..."
+echo "# Testing list compare... (should return FALSE)" >> $SEARCHOUT
+$LDAPCOMPARE -h $LOCALHOST -p $PORT1 \
+ "cn=Dynamic List of Members,$LISTDN" "member:$CMPDN" \
+ >> $SEARCHOUT 2>&1
+RC=$?
+case $RC in
+5)
+ echo "ldapcompare returned FALSE ($RC)"
+ ;;
+6)
+ echo "ldapcompare returned TRUE ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ ;;
+0)
+ echo "ldapcompare returned success ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit -1
+ ;;
+*)
+ echo "ldapcompare failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ ;;
+esac
+echo "" >> $SEARCHOUT
+
+
CMPDN="$BJORNSDN"
echo "Testing list compare (should return FALSE)..."
echo "# Testing list compare (should return FALSE)..." >> $SEARCHOUT
diff --git a/openldap-2.4.46/tests/scripts/defines.sh b/openldap-2.4.46/tests/scripts/defines.sh
index 97cf08f..7d62023 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -261,6 +261,7 @@ UPDATEDN="cn=Replica,$BASEDN"
PASSWD=secret
BABSDN="cn=Barbara Jensen,ou=Information Technology DivisioN,ou=People,$BASEDN"
BJORNSDN="cn=Bjorn Jensen,ou=Information Technology DivisioN,ou=People,$BASEDN"
+BADBJORNSDN="cn=Bjorn JensenNotReally,ou=Information Technology DivisioN,ou=People,$BASEDN"
JAJDN="cn=James A Jones 1,ou=Alumni Association,ou=People,$BASEDN"
JOHNDDN="cn=John Doe,ou=Information Technology Division,ou=People,$BASEDN"
MELLIOTDN="cn=Mark Elliot,ou=Alumni Association,ou=People,$BASEDN"
diff --git a/tests/scripts/test044-dynlist b/tests/scripts/test044-dynlist
index 4c6390e..8ace1a8 100755
--- a/tests/scripts/test044-dynlist
+++ b/tests/scripts/test044-dynlist
@@ -448,13 +448,13 @@ $LDAPCOMPARE -h $LOCALHOST -p $PORT1 \
RC=$?
case $RC in
5)
- echo "ldapcompare returned FALSE ($RC)"
- ;;
-6)
- echo "ldapcompare returned TRUE ($RC)!"
+ echo "ldapcompare returned FALSE ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
;;
+6)
+ echo "ldapcompare returned TRUE ($RC)"
+ ;;
0)
echo "ldapcompare returned success ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
--
1.8.3.1

35
CVE-2019-13057-1.patch
View File

@ -1,35 +0,0 @@
From f120d0e461178b5974694876ba2d2bdba4f7d122 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 19 Jun 2019 12:29:02 +0100
Subject: [PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs.
Treat as normal user for any other DB.
---
servers/slapd/saslauthz.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 64c7053..b3727ea 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op,
goto DONE;
}
- /* Allow the manager to authorize as any DN. */
- if( op->o_conn->c_authz_backend &&
- be_isroot_dn( op->o_conn->c_authz_backend, authcDN ))
+ /* Allow the manager to authorize as any DN in its own DBs. */
{
- rc = LDAP_SUCCESS;
- goto DONE;
+ Backend *zbe = select_backend( authzDN, 1 );
+ if ( zbe && be_isroot_dn( zbe, authcDN )) {
+ rc = LDAP_SUCCESS;
+ goto DONE;
+ }
}
/* Check source rules */
--
1.7.10.4

102
CVE-2019-13057-2.patch
View File

@ -1,102 +0,0 @@
From ce5869c89a0cf1a9ec23bde014cb4c11f4d0360c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Wed, 19 Jun 2019 18:47:32 +0200
Subject: [PATCH] ITS#9038 Update test028 to test this is enforced
---
tests/data/idassert.out | 5 +++++
tests/data/slapd-idassert.conf | 1 +
tests/data/test-idassert1.ldif | 6 ++++++
tests/scripts/test028-idassert | 24 ++++++++++++++++++++++++
4 files changed, 36 insertions(+)
diff --git a/tests/data/idassert.out b/tests/data/idassert.out
index 53d76bb..fa51c25 100644
--- a/tests/data/idassert.out
+++ b/tests/data/idassert.out
@@ -4,6 +4,11 @@ objectClass: dcObject
o: Example, Inc.
dc: example
+dn: cn=Manager,o=Example,c=US
+objectClass: inetOrgPerson
+cn: Manager
+sn: Parson
+
dn: ou=People,o=Example,c=US
objectClass: organizationalUnit
ou: People
diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf
index 88d66a3..561c5cc 100644
--- a/tests/data/slapd-idassert.conf
+++ b/tests/data/slapd-idassert.conf
@@ -36,6 +36,7 @@ argsfile @TESTDIR@/slapd.1.args
#######################################################################
authz-policy both
+authz-regexp "^uid=manager,.+" "cn=Manager,dc=example,dc=com"
authz-regexp "^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)"
authz-regexp "^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)"
authz-regexp "^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)"
diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif
index 063d6ec..3ccbd1a 100644
--- a/tests/data/test-idassert1.ldif
+++ b/tests/data/test-idassert1.ldif
@@ -4,6 +4,12 @@ objectClass: dcObject
o: Example, Inc.
dc: example
+dn: cn=Manager,dc=example,dc=com
+objectClass: inetOrgPerson
+cn: Manager
+sn: Parson
+userPassword: secret
+
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
index b1e1674..9e5e107 100755
--- a/tests/scripts/test028-idassert
+++ b/tests/scripts/test028-idassert
@@ -191,6 +191,17 @@ if test $RC != 0 ; then
exit $RC
fi
+AUTHZID="u:it/jaj"
+echo "Checking another DB's rootdn can't assert identity from another DB..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID"
+
+RC=$?
+if test $RC != 1 ; then
+ echo "ldapwhoami should have failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
ID="uid=jaj,ou=People,dc=example,dc=it"
BASE="o=Example,c=US"
echo "Testing ldapsearch as $ID for \"$BASE\"..."
@@ -231,6 +242,19 @@ if test $USE_SASL != "no" ; then
exit $RC
fi
+ ID="manager"
+ AUTHZID="u:it/jaj"
+ echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..."
+ $LDAPSASLWHOAMI -h $LOCALHOST -p $PORT1 \
+ -Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID
+
+ RC=$?
+ if test $RC != 50 ; then
+ echo "ldapwhoami should have failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+
echo "Filtering ldapsearch results..."
$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
echo "Filtering original ldif used to create database..."
--
1.7.10.4

25
CVE-2019-13057-3.patch
View File

@ -1,25 +0,0 @@
From c064d45c5d4551f2321276c3a5ed25b1c08e115d Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Mon, 24 Jun 2019 16:37:23 +0200
Subject: [PATCH] ITS#9038 Fix typo in test script
---
tests/scripts/test028-idassert | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
index 9e5e107..564a615 100755
--- a/tests/scripts/test028-idassert
+++ b/tests/scripts/test028-idassert
@@ -199,7 +199,7 @@ RC=$?
if test $RC != 1 ; then
echo "ldapwhoami should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
+ exit 1
fi
ID="uid=jaj,ou=People,dc=example,dc=it"
--
1.7.10.4

25
CVE-2019-13057-4.patch
View File

@ -1,25 +0,0 @@
From 0832ec02f0679cf0862dca2cca5280be1e4fdb37 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Thu, 27 Jun 2019 00:45:29 +0200
Subject: [PATCH] ITS#9038 Another test028 typo
---
tests/scripts/test028-idassert | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
index 564a615..dacd68d 100755
--- a/tests/scripts/test028-idassert
+++ b/tests/scripts/test028-idassert
@@ -252,7 +252,7 @@ if test $USE_SASL != "no" ; then
if test $RC != 50 ; then
echo "ldapwhoami should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
+ exit 1
fi
echo "Filtering ldapsearch results..."
--
1.7.10.4

25
CVE-2019-13565.patch
View File

@ -1,25 +0,0 @@
From 744a46a1acb93798f4e027290191d6a11dd4c18c Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 10 Jul 2019 21:29:39 +0100
Subject: [PATCH] ITS#9052 zero out sasl_ssf in connection_init
---
servers/slapd/connection.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index b85bcb4..704067c 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -554,7 +554,7 @@ Connection * connection_init(
c->c_close_reason = "?"; /* should never be needed */
c->c_ssf = c->c_transport_ssf = ssf;
- c->c_tls_ssf = 0;
+ c->c_tls_ssf = c->c_sasl_ssf = 0;
#ifdef HAVE_TLS
if ( flags & CONN_IS_TLS ) {
--
1.7.10.4

125
CVE-2020-12243.patch
View File

@ -1,125 +0,0 @@
From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Thu, 16 Apr 2020 01:08:19 +0100
Subject: [PATCH] ITS#9202 limit depth of nested filters
Using a hardcoded limit for now; no reasonable apps
should ever run into it.
---
servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
1 file changed, 32 insertions(+), 9 deletions(-)
diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
index 3252cf2..ed57bbd 100644
--- a/servers/slapd/filter.c
+++ b/servers/slapd/filter.c
@@ -37,11 +37,16 @@
const Filter *slap_filter_objectClass_pres;
const struct berval *slap_filterstr_objectClass_pres;
+#ifndef SLAPD_MAX_FILTER_DEPTH
+#define SLAPD_MAX_FILTER_DEPTH 5000
+#endif
+
static int get_filter_list(
Operation *op,
BerElement *ber,
Filter **f,
- const char **text );
+ const char **text,
+ int depth );
static int get_ssa(
Operation *op,
@@ -80,12 +85,13 @@ filter_destroy( void )
return;
}
-int
-get_filter(
+static int
+get_filter0(
Operation *op,
BerElement *ber,
Filter **filt,
- const char **text )
+ const char **text,
+ int depth )
{
ber_tag_t tag;
ber_len_t len;
@@ -126,6 +132,11 @@ get_filter(
*
*/
+ if( depth > SLAPD_MAX_FILTER_DEPTH ) {
+ *text = "filter nested too deeply";
+ return SLAPD_DISCONNECT;
+ }
+
tag = ber_peek_tag( ber, &len );
if( tag == LBER_ERROR ) {
@@ -221,7 +232,7 @@ get_filter(
case LDAP_FILTER_AND:
Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
- err = get_filter_list( op, ber, &f.f_and, text );
+ err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
if ( err != LDAP_SUCCESS ) {
break;
}
@@ -234,7 +245,7 @@ get_filter(
case LDAP_FILTER_OR:
Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
- err = get_filter_list( op, ber, &f.f_or, text );
+ err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
if ( err != LDAP_SUCCESS ) {
break;
}
@@ -248,7 +259,7 @@ get_filter(
case LDAP_FILTER_NOT:
Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
(void) ber_skip_tag( ber, &len );
- err = get_filter( op, ber, &f.f_not, text );
+ err = get_filter0( op, ber, &f.f_not, text, depth+1 );
if ( err != LDAP_SUCCESS ) {
break;
}
@@ -311,10 +322,22 @@ get_filter(
return( err );
}
+int
+get_filter(
+ Operation *op,
+ BerElement *ber,
+ Filter **filt,
+ const char **text )
+{
+ return get_filter0( op, ber, filt, text, 0 );
+}
+
+
static int
get_filter_list( Operation *op, BerElement *ber,
Filter **f,
- const char **text )
+ const char **text,
+ int depth )
{
Filter **new;
int err;
@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
tag != LBER_DEFAULT;
tag = ber_next_element( ber, &len, last ) )
{
- err = get_filter( op, ber, new, text );
+ err = get_filter0( op, ber, new, text, depth );
if ( err != LDAP_SUCCESS )
return( err );
new = &(*new)->f_next;
--
1.8.3.1

48
Fix-index-delete.patch
View File

@ -1,48 +0,0 @@
From 86bd2da6ac69acc2df956260d081d03421116828 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 31 Aug 2018 14:28:22 +0100
Subject: [PATCH 034/109] Fix index delete
Deleting all indices should also reset default mask
---
servers/slapd/back-bdb/config.c | 3 ++-
servers/slapd/back-mdb/config.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/servers/slapd/back-bdb/config.c b/servers/slapd/back-bdb/config.c
index a1cd0d605..24c4753ba 100644
--- a/servers/slapd/back-bdb/config.c
+++ b/servers/slapd/back-bdb/config.c
@@ -602,10 +602,11 @@ bdb_cf_gen( ConfigArgs *c )
if ( c->valx == -1 ) {
int i;
- /* delete all (FIXME) */
+ /* delete all */
for ( i = 0; i < bdb->bi_nattrs; i++ ) {
bdb->bi_attrs[i]->ai_indexmask |= BDB_INDEX_DELETING;
}
+ bdb->bi_defaultmask = 0;
bdb->bi_flags |= BDB_DEL_INDEX;
c->cleanup = bdb_cf_cleanup;
diff --git a/servers/slapd/back-mdb/config.c b/servers/slapd/back-mdb/config.c
index d4c6f96aa..ded7a087c 100644
--- a/servers/slapd/back-mdb/config.c
+++ b/servers/slapd/back-mdb/config.c
@@ -423,10 +423,11 @@ mdb_cf_gen( ConfigArgs *c )
if ( c->valx == -1 ) {
int i;
- /* delete all (FIXME) */
+ /* delete all */
for ( i = 0; i < mdb->mi_nattrs; i++ ) {
mdb->mi_attrs[i]->ai_indexmask |= MDB_INDEX_DELETING;
}
+ mdb->mi_defaultmask = 0;
mdb->mi_flags |= MDB_DEL_INDEX;
c->cleanup = mdb_cf_cleanup;
--
2.19.1

25
Fix-quoting-example.patch
View File

@ -1,25 +0,0 @@
From 4626a7d0edf687c63452dc671a2fbb7f44aa64b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Thu, 14 Jun 2018 16:08:36 +0100
Subject: [PATCH 018/109] Fix quoting example
---
doc/man/man5/ldap.conf.5 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index 0c8ec8a0e..8c67bc0ae 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -85,7 +85,7 @@ For example,
# Right - DN syntax needs quoting for Example, Inc:
BASE ou=IT staff,o="Example, Inc",c=US
# or:
- BASE ou=IT staff,o=Example2C Inc,c=US
+ BASE ou=IT staff,o=Example\\2C Inc,c=US
# Wrong - comment on same line as option:
DEREF never # Never follow aliases
--
2.19.1

34
ITS-8472-only-do-index-cleanup-if-DB-is-running.patch
View File

@ -1,34 +0,0 @@
From 55daae4afc3cd2ee6dcbd97a73260113935d2676 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 25 Jan 2019 18:11:58 +0000
Subject: [PATCH 096/109] ITS#8472 only do index cleanup if DB is running
---
servers/slapd/back-mdb/config.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/servers/slapd/back-mdb/config.c b/servers/slapd/back-mdb/config.c
index df9db5edd..c404e58e7 100644
--- a/servers/slapd/back-mdb/config.c
+++ b/servers/slapd/back-mdb/config.c
@@ -260,6 +260,7 @@ mdb_cf_cleanup( ConfigArgs *c )
}
if ( mdb->mi_flags & MDB_OPEN_INDEX ) {
+ mdb->mi_flags ^= MDB_OPEN_INDEX;
rc = mdb_attr_dbs_open( c->be, NULL, &c->reply );
if ( rc )
rc = LDAP_OTHER;
@@ -631,8 +632,8 @@ mdb_cf_gen( ConfigArgs *c )
c->argc - 1, &c->argv[1], &c->reply);
if( rc != LDAP_SUCCESS ) return 1;
- mdb->mi_flags |= MDB_OPEN_INDEX;
if ( mdb->mi_flags & MDB_IS_OPEN ) {
+ mdb->mi_flags |= MDB_OPEN_INDEX;
c->cleanup = mdb_cf_cleanup;
if ( !mdb->mi_index_task ) {
/* Start the task as soon as we finish here. Set a long
--
2.19.1

34
ITS-8663-Fix-memberof-SLAP_CONFIG_EMIT.patch
View File

@ -1,34 +0,0 @@
From 7553afa6fd524181bd5d7c5fa8808bbd0fc09864 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Mon, 14 Jan 2019 11:44:35 +0000
Subject: [PATCH 086/109] ITS#8663 Fix memberof SLAP_CONFIG_EMIT
---
servers/slapd/overlays/memberof.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
index 54c24682a..7e0c8f22b 100644
--- a/servers/slapd/overlays/memberof.c
+++ b/servers/slapd/overlays/memberof.c
@@ -1895,15 +1895,11 @@ mo_cf_gen( ConfigArgs *c )
break;
case MO_MEMBER_AD:
- if ( mo->mo_ad_member != NULL ){
- value_add_one( &c->rvalue_vals, &mo->mo_ad_member->ad_cname );
- }
+ c->value_ad = mo->mo_ad_member;
break;
case MO_MEMBER_OF_AD:
- if ( mo->mo_ad_memberof != NULL ){
- value_add_one( &c->rvalue_vals, &mo->mo_ad_memberof->ad_cname );
- }
+ c->value_ad = mo->mo_ad_memberof;
break;
default:
--
2.19.1

26
ITS-8667-Do-not-finish-glue-initialisation-in-tool-m.patch
View File

@ -1,26 +0,0 @@
From 8c09d9a132d148ebad1e7f303ae99d357815ffff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Wed, 27 Jun 2018 10:32:04 +0100
Subject: [PATCH 021/109] ITS#8667 Do not finish glue initialisation in tool
mode unless requested
---
servers/slapd/backglue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/backglue.c b/servers/slapd/backglue.c
index 53c92448f..c2cfed45c 100644
--- a/servers/slapd/backglue.c
+++ b/servers/slapd/backglue.c
@@ -1312,7 +1312,7 @@ glue_db_init(
SLAP_DBFLAGS( be ) |= SLAP_DBFLAG_GLUE_INSTANCE;
- if ( ga_list ) {
+ if ( ga_list && ( slapMode & SLAP_SERVER_MODE ) ) {
be->bd_info = (BackendInfo *)oi;
glue_sub_attach( 1 );
}
--
2.19.1

32
ITS-8727-plug-ber-leaks.patch
View File

@ -1,32 +0,0 @@
From 11320a9156e1306c251b27443439dc2e1db0107b Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 17 Jan 2017 11:35:54 +0000
Subject: [PATCH 076/109] ITS#8727 plug ber leaks
---
libraries/libldap/request.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c
index 31145432f..7d2d7a458 100644
--- a/libraries/libldap/request.c
+++ b/libraries/libldap/request.c
@@ -315,6 +315,7 @@ ldap_send_server_request(
LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex );
if ( rc == -1 ) {
ld->ld_errno = LDAP_ENCODING_ERROR;
+ ber_free( ber, 1 );
LDAP_CONN_UNLOCK_IF(m_noconn);
return rc;
}
@@ -334,6 +335,7 @@ ldap_send_server_request(
rc = -1;
}
if ( rc ) {
+ ber_free( ber, 1 );
LDAP_CONN_UNLOCK_IF(m_noconn);
return rc;
}
--
2.19.1

68
ITS-8752-maybe-related.patch
View File

@ -1,68 +0,0 @@
From 09aea7d84492dbfe61adf197214f206d99b43469 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 5 Dec 2018 10:41:47 +0000
Subject: [PATCH 062/109] ITS#8752 (maybe related)
Avoid incremental access to user-supplied bv in dupbv
---
libraries/liblber/memory.c | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/libraries/liblber/memory.c b/libraries/liblber/memory.c
index a99f5044c..aa1d1e123 100644
--- a/libraries/liblber/memory.c
+++ b/libraries/liblber/memory.c
@@ -482,7 +482,7 @@ struct berval *
ber_dupbv_x(
struct berval *dst, struct berval *src, void *ctx )
{
- struct berval *new;
+ struct berval *new, tmp;
if( src == NULL ) {
ber_errno = LBER_ERROR_PARAM;
@@ -490,7 +490,7 @@ ber_dupbv_x(
}
if ( dst ) {
- new = dst;
+ new = &tmp;
} else {
if(( new = ber_memalloc_x( sizeof(struct berval), ctx )) == NULL ) {
return NULL;
@@ -500,18 +500,23 @@ ber_dupbv_x(
if ( src->bv_val == NULL ) {
new->bv_val = NULL;
new->bv_len = 0;
- return new;
- }
+ } else {
- if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == NULL ) {
- if ( !dst )
- ber_memfree_x( new, ctx );
- return NULL;
+ if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == NULL ) {
+ if ( !dst )
+ ber_memfree_x( new, ctx );
+ return NULL;
+ }
+
+ AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len );
+ new->bv_val[src->bv_len] = '\0';
+ new->bv_len = src->bv_len;
}
- AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len );
- new->bv_val[src->bv_len] = '\0';
- new->bv_len = src->bv_len;
+ if ( dst ) {
+ *dst = *new;
+ new = dst;
+ }
return new;
}
--
2.19.1

60
ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch
View File

@ -1,60 +0,0 @@
From 1f33a6d9109792c0a2c88793092264080fe856b0 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 22 Jun 2018 16:30:13 +0100
Subject: [PATCH 038/109] ITS#8756 remove loose pg from dirty list in
freelist_save
---
libraries/liblmdb/mdb.c | 33 ++++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
index 0662f2d8b..e12af4482 100644
--- a/libraries/liblmdb/mdb.c
+++ b/libraries/liblmdb/mdb.c
@@ -3094,10 +3094,41 @@ mdb_freelist_save(MDB_txn *txn)
* we may be unable to return them to me_pghead.
*/
MDB_page *mp = txn->mt_loose_pgs;
+ MDB_ID2 *dl = txn->mt_u.dirty_list;
+ unsigned x;
if ((rc = mdb_midl_need(&txn->mt_free_pgs, txn->mt_loose_count)) != 0)
return rc;
- for (; mp; mp = NEXT_LOOSE_PAGE(mp))
+ for (; mp; mp = NEXT_LOOSE_PAGE(mp)) {
mdb_midl_xappend(txn->mt_free_pgs, mp->mp_pgno);
+ /* must also remove from dirty list */
+ if (txn->mt_flags & MDB_TXN_WRITEMAP) {
+ for (x=1; x<=dl[0].mid; x++)
+ if (dl[x].mid == mp->mp_pgno)
+ break;
+ mdb_tassert(txn, x <= dl[0].mid);
+ } else {
+ x = mdb_mid2l_search(dl, mp->mp_pgno);
+ mdb_tassert(txn, dl[x].mid == mp->mp_pgno);
+ }
+ dl[x].mptr = NULL;
+ mdb_dpage_free(env, mp);
+ }
+ {
+ /* squash freed slots out of the dirty list */
+ unsigned y;
+ for (y=1; dl[y].mptr && y <= dl[0].mid; y++);
+ if (y <= dl[0].mid) {
+ for(x=y, y++;;) {
+ while (!dl[y].mptr && y <= dl[0].mid) y++;
+ if (y > dl[0].mid) break;
+ dl[x++] = dl[y++];
+ }
+ dl[0].mid = x-1;
+ } else {
+ /* all slots freed */
+ dl[0].mid = 0;
+ }
+ }
txn->mt_loose_pgs = NULL;
txn->mt_loose_count = 0;
}
--
2.19.1

29
ITS-8840-Fix-domainScope-control-to-ensure-the-contr.patch
View File

@ -1,29 +0,0 @@
From 59681e0eb305262aeb93675c66f21727bfc7ab98 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Mon, 30 Apr 2018 17:27:36 +0000
Subject: [PATCH 009/109] ITS#8840 Fix domainScope control to ensure the
control value is absent as per Microsoft specification
(https://msdn.microsoft.com/en-us/library/aa366979%28v=vs.85%29.aspx).
---
servers/slapd/controls.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index b8edd39bc..16b580633 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -1660,8 +1660,8 @@ static int parseDomainScope (
return LDAP_PROTOCOL_ERROR;
}
- if ( BER_BVISNULL( &ctrl->ldctl_value )) {
- rs->sr_text = "domainScope control value not empty";
+ if ( !BER_BVISNULL( &ctrl->ldctl_value )) {
+ rs->sr_text = "domainScope control value not absent";
return LDAP_PROTOCOL_ERROR;
}
--
2.19.1

36
ITS-8842-Do-some-printability-checks-on-the-dc-RDN.patch
View File

@ -1,36 +0,0 @@
From 849f937d0aaf5911d438c49ccde2b036b62362d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Thu, 21 Jun 2018 16:01:43 +0100
Subject: [PATCH 025/109] ITS#8842 Do some printability checks on the dc RDN
---
libraries/libldap/getdn.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libraries/libldap/getdn.c b/libraries/libldap/getdn.c
index 16ecd3055..69ff62ac8 100644
--- a/libraries/libldap/getdn.c
+++ b/libraries/libldap/getdn.c
@@ -27,6 +27,7 @@
#include "ldap-int.h"
#include "ldap_schema.h"
+#include "ldif.h"
/* extension to UFN that turns trailing "dc=value" rdns in DNS style,
* e.g. "ou=People,dc=openldap,dc=org" => "People, openldap.org" */
@@ -2478,6 +2479,11 @@ dn2domain( LDAPDN dn, struct berval *bv, int pos, int *iRDN )
break;
}
+ if ( ldif_is_not_printable( ava->la_value.bv_val, ava->la_value.bv_len ) ) {
+ domain = 0;
+ break;
+ }
+
domain = 1;
if ( first ) {
--
2.19.1

24
ITS-8843-check-for-NULL-modlist.patch
View File

@ -1,24 +0,0 @@
From cc24cf620470e600d31fd68f63decae82b9745f3 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 2 May 2018 16:51:49 +0100
Subject: [PATCH 011/109] ITS#8843 check for NULL modlist
---
servers/slapd/overlays/syncprov.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
index 684421fb9..9051ec9c9 100644
--- a/servers/slapd/overlays/syncprov.c
+++ b/servers/slapd/overlays/syncprov.c
@@ -1924,6 +1924,7 @@ syncprov_op_response( Operation *op, SlapReply *rs )
/* Don't do any processing for consumer contextCSN updates */
if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) &&
op->o_tag == LDAP_REQ_MODIFY &&
+ op->orm_modlist &&
op->orm_modlist->sml_op == LDAP_MOD_REPLACE &&
op->orm_modlist->sml_desc == slap_schema.si_ad_contextCSN ) {
/* Catch contextCSN updates from syncrepl. We have to look at
--
2.19.1

30
ITS-8864-Fix-ber_realloc-after-a-partial-ber_flush.patch
View File

@ -1,30 +0,0 @@
diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
index e44a46c..8477794 100644
--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -128,7 +128,7 @@ ber_write(
int
ber_realloc( BerElement *ber, ber_len_t len )
{
- ber_len_t total, offset, sos_offset;
+ ber_len_t total, offset, sos_offset, rw_offset;
char *buf;
assert( ber != NULL );
@@ -165,6 +165,7 @@ ber_realloc( BerElement *ber, ber_len_t len )
offset = ber->ber_ptr - buf;
sos_offset = ber->ber_sos_ptr ? ber->ber_sos_ptr - buf : 0;
/* if ber_sos_ptr != NULL, it is > ber_buf so that sos_offset > 0 */
+ rw_offset = ber->ber_rwptr ? ber->ber_rwptr - buf : 0;
buf = (char *) ber_memrealloc_x( buf, total, ber->ber_memctx );
if ( buf == NULL ) {
@@ -176,6 +177,8 @@ ber_realloc( BerElement *ber, ber_len_t len )
ber->ber_ptr = buf + offset;
if ( sos_offset )
ber->ber_sos_ptr = buf + sos_offset;
+ if ( ber->ber_rwptr )
+ ber->ber_rwptr = buf + rw_offset;
return( 0 );
}

35
ITS-8878-Include-the-first-character-in-the-transfor.patch
View File

@ -1,35 +0,0 @@
From 110409ea828b6806c2003702b300652f2290d3d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Thu, 8 Nov 2018 11:09:38 +0000
Subject: [PATCH 054/109] ITS#8878 Include the first character in the
transformation
---
contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
index 262534b7d..5f4a0271f 100644
--- a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
+++ b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
@@ -59,15 +59,14 @@ const struct berval pbkdf2_sha512_scheme = BER_BVC("{PBKDF2-SHA512}");
static int b64_to_ab64(char *str)
{
char *p = str;
- while(*p++){
+ do {
if(*p == '+'){
*p = '.';
}
if(*p == '='){
*p = '\0';
- break;
}
- }
+ } while(*p++);
return 0;
}
--
2.19.1

26
ITS-8909-additional-tweak.patch
View File

@ -1,26 +0,0 @@
From 324fdd0c41fca50bd0bfacead6b5b7583ac233dc Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 29 Aug 2018 02:02:13 +0100
Subject: [PATCH 033/109] ITS#8909 additional tweak
Set error code on failure
---
servers/slapd/saslauthz.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index e4a74ea7f..d80370ff9 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2075,6 +2075,8 @@ int slap_sasl_authorized( Operation *op,
rc = slap_sasl_check_authz( op, authcDN, authzDN,
slap_schema.si_ad_saslAuthzTo, authcDN );
if(( rc == LDAP_SUCCESS ) ^ (( authz_policy & SASL_AUTHZ_AND) != 0)) {
+ if( rc != LDAP_SUCCESS )
+ rc = LDAP_INAPPROPRIATE_AUTH;
goto DONE;
}
}
--
2.19.1

26
ITS-8909-fix-authz-policy-all-condition.patch
View File

@ -1,26 +0,0 @@
From 37df43786bbb1918e28f3fb0117e58dd9d96cd1c Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 29 Aug 2018 01:13:05 +0100
Subject: [PATCH 031/109] ITS#8909 fix "authz-policy all" condition
Broken since original commit 113727ba
---
servers/slapd/saslauthz.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index e1ea0a1e9..e4a74ea7f 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2074,7 +2074,7 @@ int slap_sasl_authorized( Operation *op,
if( authz_policy & SASL_AUTHZ_TO ) {
rc = slap_sasl_check_authz( op, authcDN, authzDN,
slap_schema.si_ad_saslAuthzTo, authcDN );
- if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) ) {
+ if(( rc == LDAP_SUCCESS ) ^ (( authz_policy & SASL_AUTHZ_AND) != 0)) {
goto DONE;
}
}
--
2.19.1

25
ITS-8918-fix-typo.patch
View File

@ -1,25 +0,0 @@
From 83ade79c715dd9516dd2ba0675094b86d630c7b8 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 24 Sep 2018 13:47:09 +0100
Subject: [PATCH 046/109] ITS#8918 fix typo
---
servers/slapd/sasl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 73ac2a8a8..64e64d1d9 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -323,7 +323,7 @@ slap_auxprop_lookup(
/* we don't know anything about this, ignore it */
if ( !conn ) {
- rc == LDAP_SUCCESS;
+ rc = LDAP_SUCCESS;
goto done;
}
--
2.19.1

70
ITS-8923-fix-dyngroup-NO_SUCH_OBJECT-error-handling.patch
View File

@ -1,70 +0,0 @@
From 84e0958b28fccb5cc36de90094aebc6902145c07 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 3 Oct 2018 21:58:32 +0100
Subject: [PATCH 049/109] ITS#8923 fix dyngroup NO_SUCH_OBJECT error handling
---
servers/slapd/backend.c | 2 +-
tests/data/dynlist.out | 3 +++
tests/scripts/test044-dynlist | 9 +++++----
3 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 445a2cb57..0a3dafab8 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -1520,7 +1520,7 @@ fe_acl_group(
op->o_private = o_priv;
if ( rc2 != 0 ) {
/* give up... */
- rc = LDAP_OTHER;
+ rc = (rc2 == LDAP_NO_SUCH_OBJECT) ? rc2 : LDAP_OTHER;
goto loopit;
}
}
diff --git a/tests/data/dynlist.out b/tests/data/dynlist.out
index 429039b67..8caf0e22f 100644
--- a/tests/data/dynlist.out
+++ b/tests/data/dynlist.out
@@ -198,6 +198,9 @@ memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
# Testing list compare...
TRUE
+# Testing list compare... (should return FALSE)
+FALSE
+
# Testing list compare (should return FALSE)...
FALSE
diff --git a/tests/scripts/test044-dynlist b/tests/scripts/test044-dynlist
index e5a0c47dc..8caf50ded 100755
--- a/tests/scripts/test044-dynlist
+++ b/tests/scripts/test044-dynlist
@@ -477,12 +477,12 @@ $LDAPCOMPARE -h $LOCALHOST -p $PORT1 \
RC=$?
case $RC in
5)
- echo "ldapcompare returned FALSE ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
+ echo "ldapcompare returned FALSE ($RC)"
;;
6)
- echo "ldapcompare returned TRUE ($RC)"
+ echo "ldapcompare returned TRUE ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
;;
0)
echo "ldapcompare returned success ($RC)!"
@@ -497,6 +497,7 @@ case $RC in
esac
echo "" >> $SEARCHOUT
+CMPDN="$BJORNSDN"
echo "Testing list compare (should return FALSE)..."
echo "# Testing list compare (should return FALSE)..." >> $SEARCHOUT
$LDAPCOMPARE -h $LOCALHOST -p $PORT1 \
--
2.19.1

29
ITS-8932-check-rdnNormalize-success.patch
View File

@ -1,29 +0,0 @@
From 84a844cfd294a93b4fa2516a82d4f0e35e2c3d3d Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 9 Nov 2018 21:16:10 +0000
Subject: [PATCH 066/109] ITS#8932 check rdnNormalize success
---
servers/slapd/bconfig.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 250f14100..4c7d53935 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -4609,7 +4609,11 @@ config_renumber_one( Operation *op, SlapReply *rs, CfEntryInfo *parent,
/* Do the equivalent of ModRDN */
/* Replace DN / NDN */
newrdn.bv_len = ptr1 - newrdn.bv_val;
- rdnNormalize( 0, NULL, NULL, &newrdn, &nnewrdn, NULL );
+ rc = rdnNormalize( 0, NULL, NULL, &newrdn, &nnewrdn, NULL );
+ if ( rc ) {
+ free( newrdn.bv_val );
+ return LDAP_NAMING_VIOLATION;
+ }
rc = config_rename_one( op, rs, e, parent, a, &newrdn, &nnewrdn, use_ldif );
free( nnewrdn.bv_val );
--
2.19.1

32
ITS-8948-Fix-BDB-lib-to-only-be-linked-with-static-b.patch
View File

@ -1,32 +0,0 @@
From 42d441c810d7b6a6d72625d919e944a38363d6c8 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Mon, 31 Dec 2018 18:24:12 +0000
Subject: [PATCH 078/109] ITS#8948 - Fix BDB lib to only be linked with static
backend
---
configure.in | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/configure.in b/configure.in
index 2a4d29f78..2bd2a4382 100644
--- a/configure.in
+++ b/configure.in
@@ -1899,7 +1899,13 @@ if test $ol_enable_bdb/$ol_enable_hdb != no/no; then
BDB_LIBS="$BDB_LIBS $ol_cv_lib_db"
fi
- SLAPD_LIBS="$SLAPD_LIBS \$(BDB_LIBS)"
+ dnl link BDB library to slapd when there is a
+ dnl static BDB based backend in use
+ if test $ol_enable_bdb/$ol_enable_hdb != mod/mod ; then
+ if test $ol_enable_bdb = yes -o $ol_enable_hdb = yes ; then
+ SLAPD_LIBS="$SLAPD_LIBS \$(BDB_LIBS)"
+ fi
+ fi
ol_link_bdb=yes
fi
--
2.19.1

26
ITS-8957-Fix-ASYNC-TLS.patch
View File

@ -1,26 +0,0 @@
From a5a8739b4436b27387c652a8f423b582516d841a Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Thu, 31 Jan 2019 02:33:17 +0000
Subject: [PATCH 100/109] ITS#8957 - Fix ASYNC TLS
Fix ASYNC TLS by correctly handling a return code of -2 in addition to 0
---
libraries/libldap/open.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c
index 67a9353f9..5d70678d6 100644
--- a/libraries/libldap/open.c
+++ b/libraries/libldap/open.c
@@ -440,7 +440,7 @@ ldap_int_open_connection(
#endif
#ifdef HAVE_TLS
- if (rc == 0 && ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
+ if ((rc == 0 || rc == -2) && ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
strcmp( srv->lud_scheme, "ldaps" ) == 0 ))
{
++conn->lconn_refcnt; /* avoid premature free */
--
2.19.1

102
ITS-8980-fix-async-connections-with-non-blocking-TLS.patch
View File

@ -1,102 +0,0 @@
From d4a0a9b3a65bd1ce721d55845d4240942d17538b Mon Sep 17 00:00:00 2001
From: Vernon Smith <vsmith@interlinknetworks.com>
Date: Tue, 19 Feb 2019 05:57:00 +0000
Subject: [PATCH 109/109] ITS#8980 fix async connections with non-blocking TLS
---
libraries/libldap/os-ip.c | 2 +-
libraries/libldap/tls2.c | 17 ++++++++++++-----
libraries/libldap/tls_o.c | 14 +++++++++++++-
3 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
index a823cc626..cb7b0a3b2 100644
--- a/libraries/libldap/os-ip.c
+++ b/libraries/libldap/os-ip.c
@@ -443,7 +443,7 @@ ldap_pvt_connect(LDAP *ld, ber_socket_t s,
if ( connect(s, sin, addrlen) != AC_SOCKET_ERROR ) {
osip_debug(ld, "connect success\n", 0, 0, 0);
- if ( opt_tv && ldap_pvt_ndelay_off(ld, s) == -1 )
+ if ( !async && opt_tv && ldap_pvt_ndelay_off(ld, s) == -1 )
return ( -1 );
return ( 0 );
}
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 96da4d421..bc93e4d63 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -826,7 +826,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
Sockbuf *sb;
char *host;
void *ssl;
- int ret;
+ int ret, async;
#ifdef LDAP_USE_NON_BLOCKING_TLS
struct timeval start_time_tv, tv, tv0;
ber_socket_t sd = AC_SOCKET_ERROR;
@@ -853,8 +853,12 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
/*
* Use non-blocking io during SSL Handshake when a timeout is configured
*/
+ async = LDAP_BOOL_GET( &ld->ld_options, LDAP_BOOL_CONNECT_ASYNC );
if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
- ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 );
+ if ( !async ) {
+ /* if async, this has already been set */
+ ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 );
+ }
ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_FD, &sd );
tv = ld->ld_options.ldo_tm_net;
tv0 = tv;
@@ -888,8 +892,10 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
ld->ld_errno = LDAP_TIMEOUT;
break;
} else {
- /* ldap_int_poll called ldap_pvt_ndelay_off */
- ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 );
+ /* ldap_int_poll called ldap_pvt_ndelay_off if not async */
+ if ( !async ) {
+ ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 );
+ }
ret = ldap_int_tls_connect( ld, conn, host );
if ( ret > 0 ) { /* need to call tls_connect once more */
struct timeval curr_time_tv, delta_tv;
@@ -936,7 +942,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
}
}
}
- if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
+ /* Leave it nonblocking if async */
+ if ( !async && ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, NULL );
}
#endif /* LDAP_USE_NON_BLOCKING_TLS */
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 2b0c021a6..b10121d3a 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -452,7 +452,19 @@ tlso_session_connect( LDAP *ld, tls_session *sess )
tlso_session *s = (tlso_session *)sess;
/* Caller expects 0 = success, OpenSSL returns 1 = success */
- return SSL_connect( s ) - 1;
+ int rc = SSL_connect( s ) - 1;
+#ifdef LDAP_USE_NON_BLOCKING_TLS
+ if ( rc < 0 ) {
+ int sockerr = sock_errno();
+ int sslerr = SSL_get_error( s, rc+1 );
+ if ( sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE ) {
+ rc = 0;
+ } else if ( sslerr == SSL_ERROR_SYSCALL &&
+ ( sockerr == EAGAIN || sockerr == ENOTCONN )) {
+ rc = 0;
+ }
+ }
+#endif /* LDAP_USE_NON_BLOCKING_TLS */
}
static int
--
2.19.1

36
bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch Normal file
View File

@ -0,0 +1,36 @@
From 85fc8974f5c32a9a052baafaa9499c8484e043c2 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Tue, 28 Apr 2020 20:49:53 +0000
Subject: [PATCH] ITS#8650 - Fix Debug usage to follow RE24 format
---
libraries/libldap/tls2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index c1f15cb..ebe5bf1 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -907,8 +907,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
} else if ( sb->sb_trans_needs_write ) {
wr=1;
}
- Debug1( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n",
- wr ? "write": "read" );
+ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n",
+ wr ? "write": "read", 0, 0 );
/* This is mostly copied from result.c:wait4msg(), should
* probably be moved into a separate function */
@@ -946,7 +946,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
start_time_tv.tv_sec = curr_time_tv.tv_sec;
start_time_tv.tv_usec = curr_time_tv.tv_usec;
tv = tv0;
- Debug3( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n",
+ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n",
(void *)ld, (long) tv.tv_sec, (long) tv.tv_usec );
ret = ldap_int_poll( ld, sd, &tv, wr);
if ( ret < 0 ) {
--
1.8.3.1

821
bugfix-openldap-ITS9160-OOM-Handing.patch Normal file
View File

@ -0,0 +1,821 @@
From 47e0e3fdb59d8be9cc44e814ba03684d352916a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Thu, 30 Jan 2020 09:03:59 +0000
Subject: [PATCH] ITS#9160 OOM handling
https://bugs.openldap.org/show_bug.cgi?id=9160
diff --git a/contrib/slapd-modules/allowed/allowed.c b/contrib/slapd-modules/allowed/allowed.c
--- a/contrib/slapd-modules/allowed/allowed.c
+++ b/contrib/slapd-modules/allowed/allowed.c
@@ -277,10 +277,10 @@ aa_operational( Operation *op, SlapReply *rs )
/* just count */ ;
if ( got & GOT_A ) {
- bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
+ bv_allowed = ch_calloc( i + 1, sizeof( struct berval ) );
}
if ( got & GOT_AE ) {
- bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
+ bv_effective = ch_calloc( i + 1, sizeof( struct berval ) );
}
for ( i = 0, ja = 0, je = 0; atp[ i ] != NULL; i++ ) {
@@ -310,7 +310,6 @@ aa_operational( Operation *op, SlapReply *rs )
ch_free( atp );
if ( ( got & GOT_A ) && ja > 0 ) {
- BER_BVZERO( &bv_allowed[ ja ] );
*ap = attr_alloc( ad_allowedAttributes );
(*ap)->a_vals = bv_allowed;
(*ap)->a_nvals = bv_allowed;
@@ -319,7 +318,6 @@ aa_operational( Operation *op, SlapReply *rs )
}
if ( ( got & GOT_AE ) && je > 0 ) {
- BER_BVZERO( &bv_effective[ je ] );
*ap = attr_alloc( ad_allowedAttributesEffective );
(*ap)->a_vals = bv_effective;
(*ap)->a_nvals = bv_effective;
@@ -348,10 +346,10 @@ do_oc:;
}
if ( got & GOT_C ) {
- bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
+ bv_allowed = ch_calloc( i + 1, sizeof( struct berval ) );
}
if ( got & GOT_CE ) {
- bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
+ bv_effective = ch_calloc( i + 1, sizeof( struct berval ) );
}
for ( oc_start( &oc ); oc != NULL; oc_next( &oc ) ) {
@@ -398,7 +396,6 @@ done_ce:;
}
if ( ( got & GOT_C ) && ja > 0 ) {
- BER_BVZERO( &bv_allowed[ ja ] );
*ap = attr_alloc( ad_allowedChildClasses );
(*ap)->a_vals = bv_allowed;
(*ap)->a_nvals = bv_allowed;
@@ -407,7 +404,6 @@ done_ce:;
}
if ( ( got & GOT_CE ) && je > 0 ) {
- BER_BVZERO( &bv_effective[ je ] );
*ap = attr_alloc( ad_allowedChildClassesEffective );
(*ap)->a_vals = bv_effective;
(*ap)->a_nvals = bv_effective;
diff --git a/contrib/slapd-modules/samba4/rdnval.c b/contrib/slapd-modules/samba4/rdnval.c
--- a/contrib/slapd-modules/samba4/rdnval.c
+++ b/contrib/slapd-modules/samba4/rdnval.c
@@ -223,8 +223,8 @@ rdnval_rdn2vals(
/* NOTE: we assume rdn and nrdn contain the same AVAs! */
- *valsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 );
- *nvalsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 );
+ *valsp = ch_calloc( sizeof( struct berval ), nAVA + 1 );
+ *nvalsp = ch_calloc( sizeof( struct berval ), nAVA + 1 );
/* Add new attribute values to the entry */
for ( i = 0; rdn[ i ]; i++ ) {
@@ -354,7 +354,7 @@ rdnval_op_rename( Operation *op, SlapReply *rs )
send_ldap_result( op, rs );
}
- ml = SLAP_CALLOC( sizeof( Modifications ), 1 );
+ ml = ch_calloc( sizeof( Modifications ), 1 );
ml->sml_values = vals;
ml->sml_nvalues = nvals;
diff --git a/contrib/slapd-modules/samba4/vernum.c b/contrib/slapd-modules/samba4/vernum.c
--- a/contrib/slapd-modules/samba4/vernum.c
+++ b/contrib/slapd-modules/samba4/vernum.c
@@ -121,8 +121,8 @@ vernum_op_modify( Operation *op, SlapReply *rs )
/* ITS#6561 */
#ifdef SLAP_MOD_ADD_IF_NOT_PRESENT
/* the initial value is only added if the vernum attr is not present */
- ml = SLAP_CALLOC( sizeof( Modifications ), 1 );
- ml->sml_values = SLAP_CALLOC( sizeof( struct berval ) , 2 );
+ ml = ch_calloc( sizeof( Modifications ), 1 );
+ ml->sml_values = ch_calloc( sizeof( struct berval ) , 2 );
value_add_one( &ml->sml_values, &val_init );
ml->sml_nvalues = NULL;
ml->sml_numvals = 1;
@@ -136,8 +136,8 @@ vernum_op_modify( Operation *op, SlapReply *rs )
#endif /* SLAP_MOD_ADD_IF_NOT_PRESENT */
/* this increments by 1 the vernum attr */
- ml = SLAP_CALLOC( sizeof( Modifications ), 1 );
- ml->sml_values = SLAP_CALLOC( sizeof( struct berval ) , 2 );
+ ml = ch_calloc( sizeof( Modifications ), 1 );
+ ml->sml_values = ch_calloc( sizeof( struct berval ) , 2 );
value_add_one( &ml->sml_values, &val );
ml->sml_nvalues = NULL;
ml->sml_numvals = 1;
diff --git a/tests/progs/slapd-bind.c b/tests/progs/slapd-bind.c
index c9e3210b06..a832e809c1 100644
--- a/tests/progs/slapd-bind.c
+++ b/tests/progs/slapd-bind.c
@@ -412,11 +412,19 @@ do_base( struct tester_conn_args *config, char *dn, char *base, char *filter, ch
case LDAP_RES_SEARCH_ENTRY:
rc = ldap_get_dn_ber( ld, msg, &ber, &bv );
dns = realloc( dns, (ndns + 1)*sizeof(char *) );
+ if ( !dns ) {
+ tester_error( "realloc failed" );
+ exit( EXIT_FAILURE );
+ }
dns[ndns] = ber_strdup( bv.bv_val );
if ( pwattr != NULL ) {
struct berval **values = ldap_get_values_len( ld, msg, pwattr );
creds = realloc( creds, (ndns + 1)*sizeof(struct berval) );
+ if ( !creds ) {
+ tester_error( "realloc failed" );
+ exit( EXIT_FAILURE );
+ }
if ( values == NULL ) {
novals:;
creds[ndns].bv_len = 0;
diff --git a/tests/progs/slapd-modrdn.c b/tests/progs/slapd-modrdn.c
index 5bd823d72a..d82d82c69e 100644
--- a/tests/progs/slapd-modrdn.c
+++ b/tests/progs/slapd-modrdn.c
@@ -125,6 +125,10 @@ do_modrdn( struct tester_conn_args *config,
DNs[0] = entry;
DNs[1] = strdup( entry );
+ if ( DNs[1] == NULL ) {
+ tester_error( "strdup failed" );
+ exit( EXIT_FAILURE );
+ }
/* reverse the RDN, make new DN */
p1 = strchr( entry, '=' ) + 1;
@@ -132,6 +136,10 @@ do_modrdn( struct tester_conn_args *config,
*p2 = '\0';
rdns[1] = strdup( entry );
+ if ( rdns[1] == NULL ) {
+ tester_error( "strdup failed" );
+ exit( EXIT_FAILURE );
+ }
*p2-- = ',';
for (i = p1 - entry;p2 >= p1;)
@@ -139,6 +147,10 @@ do_modrdn( struct tester_conn_args *config,
DNs[1][i] = '\0';
rdns[0] = strdup( DNs[1] );
+ if ( rdns[0] == NULL ) {
+ tester_error( "strdup failed" );
+ exit( EXIT_FAILURE );
+ }
DNs[1][i] = ',';
i = 0;
diff --git a/tests/progs/slapd-mtread.c b/tests/progs/slapd-mtread.c
index 1b421af00b..c8024cb6e1 100644
--- a/tests/progs/slapd-mtread.c
+++ b/tests/progs/slapd-mtread.c
@@ -531,6 +531,10 @@ do_random( LDAP *ld,
}
values = malloc( ( nvalues + 1 ) * sizeof( char * ) );
+ if (values == NULL) {
+ thread_error( idx, "(failed to malloc)");
+ exit( EXIT_FAILURE );
+ }
for ( i = 0, e = ldap_first_entry( ld, res ); e != NULL; i++, e = ldap_next_entry( ld, e ) )
{
values[ i ] = ldap_get_dn( ld, e );
diff --git a/tests/progs/slapd-read.c b/tests/progs/slapd-read.c
index 4023a22d27..f95228317b 100644
--- a/tests/progs/slapd-read.c
+++ b/tests/progs/slapd-read.c
@@ -202,6 +202,10 @@ do_random( struct tester_conn_args *config, char *sbase, char *filter,
}
values = malloc( ( nvalues + 1 ) * sizeof( char * ) );
+ if ( !values ) {
+ tester_error( "malloc failed" );
+ exit( EXIT_FAILURE );
+ }
for ( i = 0, e = ldap_first_entry( ld, res ); e != NULL; i++, e = ldap_next_entry( ld, e ) )
{
values[ i ] = ldap_get_dn( ld, e );
@@ -251,6 +255,10 @@ do_read( struct tester_conn_args *config, char *entry, LDAP **ldp,
/* make room for msgid */
if ( swamp > 1 ) {
msgids = (int *)calloc( sizeof(int), maxloop );
+ if ( !msgids ) {
+ tester_error( "calloc failed" );
+ exit( EXIT_FAILURE );
+ }
}
retry:;
diff --git a/tests/progs/slapd-search.c b/tests/progs/slapd-search.c
index 8f791d6b3c..321fd80e38 100644
--- a/tests/progs/slapd-search.c
+++ b/tests/progs/slapd-search.c
@@ -226,6 +226,10 @@ do_random( struct tester_conn_args *config,
int j;
values = realloc( values, ( nvalues + n + 1 )*sizeof( char * ) );
+ if ( !values ) {
+ tester_error( "realloc failed" );
+ exit( EXIT_FAILURE );
+ }
for ( j = 0; j < n; j++ ) {
values[ nvalues + j ] = strdup( v[ j ]->bv_val );
}
@@ -298,6 +302,10 @@ do_search( struct tester_conn_args *config,
/* make room for msgid */
if ( swamp > 1 ) {
msgids = (int *)calloc( sizeof(int), innerloop );
+ if ( !msgids ) {
+ tester_error( "calloc failed" );
+ exit( EXIT_FAILURE );
+ }
}
retry:;
diff --git a/servers/slapd/aci.c b/servers/slapd/aci.c
index 86ace3f536..232c32fc89 100644
--- a/servers/slapd/aci.c
+++ b/servers/slapd/aci.c
@@ -1258,7 +1258,7 @@ OpenLDAPaciNormalizeRight(
len = nattrs.bv_len + ( !BER_BVISEMPTY( &nattrs ) ? STRLENOF( "," ) : 0 )
+ ad->ad_cname.bv_len;
- nattrs.bv_val = ber_memrealloc_x( nattrs.bv_val, len + 1, ctx );
+ nattrs.bv_val = slap_sl_realloc( nattrs.bv_val, len + 1, ctx );
ptr = &nattrs.bv_val[ nattrs.bv_len ];
if ( !BER_BVISEMPTY( &nattrs ) ) {
*ptr++ = ',';
@@ -1270,7 +1270,7 @@ OpenLDAPaciNormalizeRight(
}
- naction->bv_val = ber_memrealloc_x( naction->bv_val,
+ naction->bv_val = slap_sl_realloc( naction->bv_val,
naction->bv_len + STRLENOF( ";" )
+ perms.bv_len + STRLENOF( ";" )
+ nattrs.bv_len + 1,
@@ -1345,7 +1345,7 @@ OpenLDAPaciNormalizeRights(
*nactions = nbv;
} else {
- nactions->bv_val = ber_memrealloc_x( nactions->bv_val,
+ nactions->bv_val = slap_sl_realloc( nactions->bv_val,
nactions->bv_len + STRLENOF( "$" )
+ nbv.bv_len + 1,
ctx );
@@ -1703,7 +1703,7 @@ OpenLDAPaciPrettyNormal(
}
bv.bv_len += STRLENOF( "/" ) + oc->soc_cname.bv_len;
- bv.bv_val = ber_memalloc_x( bv.bv_len + 1, ctx );
+ bv.bv_val = slap_sl_malloc( bv.bv_len + 1, ctx );
ptr = bv.bv_val;
ptr = lutil_strncopy( ptr, ntype.bv_val, ntype.bv_len );
@@ -1762,7 +1762,7 @@ OpenLDAPaciPrettyNormal(
+ ntype.bv_len + STRLENOF( "#" )
+ nsubject.bv_len;
- out->bv_val = ber_memalloc_x( out->bv_len + 1, ctx );
+ out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
ptr = lutil_strncopy( out->bv_val, oid.bv_val, oid.bv_len );
ptr[ 0 ] = '#';
ptr++;
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 79a3fd1cfc..ceee648683 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -3032,7 +3032,7 @@ tcp_buffer_unparse( int size, int rw, Listener *l, struct berval *val )
}
}
- val->bv_val = SLAP_MALLOC( val->bv_len + 1 );
+ val->bv_val = ch_malloc( val->bv_len + 1 );
ptr = val->bv_val;
@@ -3110,7 +3110,7 @@ tcp_buffer_add_one( int argc, char **argv )
if ( rw & SLAP_TCP_WMEM ) slapd_tcp_wmem = size;
}
- tcp_buffer = SLAP_REALLOC( tcp_buffer, sizeof( struct berval ) * ( tcp_buffer_num + 2 ) );
+ tcp_buffer = ch_realloc( tcp_buffer, sizeof( struct berval ) * ( tcp_buffer_num + 2 ) );
/* append */
tcp_buffer[ tcp_buffer_num ] = val;
diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c
index fb1cc3f1c3..cfdd7b0aa9 100644
--- a/servers/slapd/modify.c
+++ b/servers/slapd/modify.c
@@ -619,7 +619,7 @@ int slap_mods_check(
if( nvals && ad->ad_type->sat_equality &&
ad->ad_type->sat_equality->smr_normalize )
{
- ml->sml_nvalues = ber_memalloc_x(
+ ml->sml_nvalues = slap_sl_malloc(
(nvals+1)*sizeof(struct berval), ctx );
for ( nvals = 0; !BER_BVISNULL( &ml->sml_values[nvals] ); nvals++ ) {
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 92407391e9..c067ef825c 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -3415,7 +3415,7 @@ serialNumberAndIssuerCheck(
ber_len_t src, dst;
ni.bv_len = is->bv_len - numdquotes;
- ni.bv_val = ber_memalloc_x( ni.bv_len + 1, ctx );
+ ni.bv_val = slap_sl_malloc( ni.bv_len + 1, ctx );
for ( src = 0, dst = 0; src < is->bv_len; src++, dst++ ) {
if ( is->bv_val[src] == '"' ) {
src++;
@@ -4004,7 +4004,7 @@ issuerAndThisUpdateCheck(
ber_len_t src, dst;
ni.bv_len = is->bv_len - numdquotes;
- ni.bv_val = ber_memalloc_x( ni.bv_len + 1, ctx );
+ ni.bv_val = slap_sl_malloc( ni.bv_len + 1, ctx );
for ( src = 0, dst = 0; src < is->bv_len; src++, dst++ ) {
if ( is->bv_val[src] == '"' ) {
src++;
@@ -4606,7 +4606,7 @@ serialNumberAndIssuerSerialCheck(
ber_len_t src, dst;
ni.bv_len = is->bv_len - numdquotes;
- ni.bv_val = ber_memalloc_x( ni.bv_len + 1, ctx );
+ ni.bv_val = slap_sl_malloc( ni.bv_len + 1, ctx );
for ( src = 0, dst = 0; src < is->bv_len; src++, dst++ ) {
if ( is->bv_val[src] == '"' ) {
src++;
diff --git a/servers/slapd/value.c b/servers/slapd/value.c
index 73c2052f16..c901236d5e 100644
--- a/servers/slapd/value.c
+++ b/servers/slapd/value.c
@@ -514,7 +514,7 @@ ordered_value_pretty(
bv = *out;
out->bv_len = idx.bv_len + bv.bv_len;
- out->bv_val = ber_memalloc_x( out->bv_len + 1, ctx );
+ out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
AC_MEMCPY( out->bv_val, idx.bv_val, idx.bv_len );
AC_MEMCPY( &out->bv_val[ idx.bv_len ], bv.bv_val, bv.bv_len + 1 );
@@ -591,7 +591,7 @@ ordered_value_normalize(
bv = *normalized;
normalized->bv_len = idx.bv_len + bv.bv_len;
- normalized->bv_val = ber_memalloc_x( normalized->bv_len + 1, ctx );
+ normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
AC_MEMCPY( normalized->bv_val, idx.bv_val, idx.bv_len );
AC_MEMCPY( &normalized->bv_val[ idx.bv_len ], bv.bv_val, bv.bv_len + 1 );
diff --git a/libraries/libldap/deref.c b/libraries/libldap/deref.c
index 6da6f2711c..9b66f19d95 100644
--- a/libraries/libldap/deref.c
+++ b/libraries/libldap/deref.c
@@ -191,6 +191,12 @@ ldap_parse_derefresponse_control(
char *last2;
dr = LDAP_CALLOC( 1, sizeof(LDAPDerefRes) );
+ if ( dr == NULL ) {
+ ldap_derefresponse_free( drhead );
+ *drp2 = NULL;
+ ld->ld_errno = LDAP_NO_MEMORY;
+ return ld->ld_errno;
+ }
dvp = &dr->attrVals;
tag = ber_scanf( ber, "{ao", &dr->derefAttr, &dr->derefVal );
@@ -207,6 +213,13 @@ ldap_parse_derefresponse_control(
LDAPDerefVal *dv;
dv = LDAP_CALLOC( 1, sizeof(LDAPDerefVal) );
+ if ( dv == NULL ) {
+ ldap_derefresponse_free( drhead );
+ LDAP_FREE( dr );
+ *drp2 = NULL;
+ ld->ld_errno = LDAP_NO_MEMORY;
+ return ld->ld_errno;
+ }
tag = ber_scanf( ber, "{a[W]}", &dv->type, &dv->vals );
if ( tag == LBER_ERROR ) {
diff --git a/libraries/libldap/getdn.c b/libraries/libldap/getdn.c
index 45910aba52..1228d9c76e 100644
--- a/libraries/libldap/getdn.c
+++ b/libraries/libldap/getdn.c
@@ -258,6 +258,9 @@ ldap_explode_rdn( LDAP_CONST char *rdn, int notypes )
l = vl + ava->la_attr.bv_len + 1;
str = LDAP_MALLOC( l + 1 );
+ if ( str == NULL ) {
+ goto error_return;
+ }
AC_MEMCPY( str, ava->la_attr.bv_val,
ava->la_attr.bv_len );
str[ al++ ] = '=';
@@ -265,6 +268,9 @@ ldap_explode_rdn( LDAP_CONST char *rdn, int notypes )
} else {
l = vl;
str = LDAP_MALLOC( l + 1 );
+ if ( str == NULL ) {
+ goto error_return;
+ }
}
if ( ava->la_flags & LDAP_AVA_BINARY ) {
@@ -1526,6 +1532,10 @@ str2strval( const char *str, ber_len_t stoplen, struct berval *val, const char *
if ( escapes == 0 ) {
if ( *retFlags & LDAP_AVA_NONPRINTABLE ) {
val->bv_val = LDAP_MALLOCX( len + 1, ctx );
+ if ( val->bv_val == NULL ) {
+ return( 1 );
+ }
+
AC_MEMCPY( val->bv_val, startPos, len );
val->bv_val[ len ] = '\0';
} else {
@@ -1536,6 +1546,10 @@ str2strval( const char *str, ber_len_t stoplen, struct berval *val, const char *
ber_len_t s, d;
val->bv_val = LDAP_MALLOCX( len + 1, ctx );
+ if ( val->bv_val == NULL ) {
+ return( 1 );
+ }
+
for ( s = 0, d = 0; d < len; ) {
if ( LDAP_DN_ESCAPE( startPos[ s ] ) ) {
s++;
@@ -1633,6 +1647,10 @@ DCE2strval( const char *str, struct berval *val, const char **next, unsigned fla
ber_len_t s, d;
val->bv_val = LDAP_MALLOCX( len + 1, ctx );
+ if ( val->bv_val == NULL ) {
+ return( 1 );
+ }
+
for ( s = 0, d = 0; d < len; ) {
/*
* This point is reached only if escapes
@@ -1714,6 +1732,10 @@ IA52strval( const char *str, struct berval *val, const char **next, unsigned fla
ber_len_t s, d;
val->bv_val = LDAP_MALLOCX( len + 1, ctx );
+ if ( val->bv_val == NULL ) {
+ return( 1 );
+ }
+
for ( s = 0, d = 0; d < len; ) {
if ( LDAP_DN_ESCAPE( startPos[ s ] ) ) {
s++;
@@ -1804,6 +1826,10 @@ quotedIA52strval( const char *str, struct berval *val, const char **next, unsign
ber_len_t s, d;
val->bv_val = LDAP_MALLOCX( len + 1, ctx );
+ if ( val->bv_val == NULL ) {
+ return( 1 );
+ }
+
val->bv_len = len;
for ( s = d = 0; d < len; ) {
@@ -2897,6 +2923,9 @@ ldap_rdn2bv_x( LDAPRDN rdn, struct berval *bv, unsigned flags, void *ctx )
}
bv->bv_val = LDAP_MALLOCX( l + 1, ctx );
+ if ( bv->bv_val == NULL ) {
+ return LDAP_NO_MEMORY;
+ }
switch ( LDAP_DN_FORMAT( flags ) ) {
case LDAP_DN_FORMAT_LDAPV3:
diff --git a/libraries/libldap/ldif.c b/libraries/libldap/ldif.c
index 5414e59334..1c29619cf3 100644
--- a/libraries/libldap/ldif.c
+++ b/libraries/libldap/ldif.c
@@ -357,6 +357,9 @@ ldif_must_b64_encode_register( LDAP_CONST char *name, LDAP_CONST char *oid )
if ( must_b64_encode == default_must_b64_encode ) {
must_b64_encode = ber_memalloc( sizeof( must_b64_encode_s ) * ( i + 2 ) );
+ if ( must_b64_encode == NULL ) {
+ return 1;
+ }
for ( i = 0; !BER_BVISNULL( &default_must_b64_encode[i].name ); i++ ) {
ber_dupbv( &must_b64_encode[i].name, &default_must_b64_encode[i].name );
@@ -728,6 +731,9 @@ ldif_open(
if ( fp ) {
lfp = ber_memalloc( sizeof( LDIFFP ));
+ if ( lfp == NULL ) {
+ return NULL;
+ }
lfp->fp = fp;
lfp->prev = NULL;
}
diff --git a/libraries/libldap/options.c b/libraries/libldap/options.c
index d8dbfea880..bc421dc6ba 100644
--- a/libraries/libldap/options.c
+++ b/libraries/libldap/options.c
@@ -151,10 +151,21 @@ ldap_get_option(
int i;
info->ldapai_extensions = LDAP_MALLOC(sizeof(char *) *
sizeof(features)/sizeof(LDAPAPIFeatureInfo));
+ if ( info->ldapai_extensions == NULL ) {
+ rc = LDAP_NO_MEMORY;
+ break;
+ }
for(i=0; features[i].ldapaif_name != NULL; i++) {
info->ldapai_extensions[i] =
LDAP_STRDUP(features[i].ldapaif_name);
+ if ( info->ldapai_extensions[i] == NULL ) {
+ rc = LDAP_NO_MEMORY;
+ break;
+ }
+ }
+ if ( features[i].ldapaif_name != NULL ) {
+ break; /* LDAP_NO_MEMORY */
}
info->ldapai_extensions[i] = NULL;
@@ -895,6 +906,11 @@ ldap_set_option(
/* setting pushes the callback */
ldaplist *ll;
ll = LDAP_MALLOC( sizeof( *ll ));
+ if ( ll == NULL ) {
+ rc = LDAP_NO_MEMORY;
+ break;
+ }
+
ll->ll_data = (void *)invalue;
ll->ll_next = lo->ldo_conn_cbs;
lo->ldo_conn_cbs = ll;
diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
index b4e478aacb..04ee48ea18 100644
--- a/libraries/libldap/result.c
+++ b/libraries/libldap/result.c
@@ -1027,6 +1027,11 @@ try_read1msg(
* to parse.
*/
ber = ldap_alloc_ber_with_options( ld );
+ if ( ber == NULL ) {
+ ld->ld_errno = LDAP_NO_MEMORY;
+ return -1;
+ }
+
if ( ber_sockbuf_ctrl( lc->lconn_sb, LBER_SB_OPT_DATA_READY, NULL ) ) ok = 1;
}
/* set up response chain */
diff --git a/libraries/libldap/schema.c b/libraries/libldap/schema.c
index 5cb30e7bfb..ef99a17c97 100644
--- a/libraries/libldap/schema.c
+++ b/libraries/libldap/schema.c
@@ -2126,6 +2126,11 @@ ldap_str2attributetype( LDAP_CONST char * s,
/* Non-numerical OID ... */
int len = ss-savepos;
at->at_oid = LDAP_MALLOC(len+1);
+ if ( !at->at_oid ) {
+ ldap_attributetype_free(at);
+ return NULL;
+ }
+
strncpy(at->at_oid, savepos, len);
at->at_oid[len] = 0;
}
@@ -2499,6 +2504,11 @@ ldap_str2objectclass( LDAP_CONST char * s,
/* Non-numerical OID, ignore */
int len = ss-savepos;
oc->oc_oid = LDAP_MALLOC(len+1);
+ if ( !oc->oc_oid ) {
+ ldap_objectclass_free(oc);
+ return NULL;
+ }
+
strncpy(oc->oc_oid, savepos, len);
oc->oc_oid[len] = 0;
}
@@ -2780,6 +2790,11 @@ ldap_str2contentrule( LDAP_CONST char * s,
/* Non-numerical OID, ignore */
int len = ss-savepos;
cr->cr_oid = LDAP_MALLOC(len+1);
+ if ( !cr->cr_oid ) {
+ ldap_contentrule_free(cr);
+ return NULL;
+ }
+
strncpy(cr->cr_oid, savepos, len);
cr->cr_oid[len] = 0;
}
diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
index fc0ec2cde5..5cb4d1c1dd 100644
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -1481,7 +1481,7 @@ meta_back_cf_gen( ConfigArgs *c )
char *ptr;
int len = snprintf( buf, sizeof( buf ), SLAP_X_ORDERED_FMT, i );
bv.bv_len = ((*bvp)[ i ]).bv_len + len;
- bv.bv_val = ber_memrealloc( bv.bv_val, bv.bv_len + 1 );
+ bv.bv_val = ch_realloc( bv.bv_val, bv.bv_len + 1 );
ptr = bv.bv_val;
ptr = lutil_strcopy( ptr, buf );
ptr = lutil_strncopy( ptr, ((*bvp)[ i ]).bv_val, ((*bvp)[ i ]).bv_len );
@@ -2635,7 +2635,7 @@ idassert-authzFrom "dn:<rootdn>"
assert( !BER_BVISNULL( &mt->mt_idassert_authcDN ) );
bv.bv_len = STRLENOF( "dn:" ) + c->be->be_rootndn.bv_len;
- bv.bv_val = ber_memalloc( bv.bv_len + 1 );
+ bv.bv_val = ch_malloc( bv.bv_len + 1 );
AC_MEMCPY( bv.bv_val, "dn:", STRLENOF( "dn:" ) );
AC_MEMCPY( &bv.bv_val[ STRLENOF( "dn:" ) ], c->be->be_rootndn.bv_val, c->be->be_rootndn.bv_len + 1 );
diff --git a/servers/slapd/back-meta/map.c b/servers/slapd/back-meta/map.c
index 144dc693de..ee7aa2f086 100644
--- a/servers/slapd/back-meta/map.c
+++ b/servers/slapd/back-meta/map.c
@@ -381,6 +381,10 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len = atmp.bv_len + vtmp.bv_len
+ ( sizeof("(=)") - 1 );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
atmp.bv_val, vtmp.bv_len ? vtmp.bv_val : "" );
@@ -398,6 +402,10 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len = atmp.bv_len + vtmp.bv_len
+ ( sizeof("(>=)") - 1 );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
atmp.bv_val, vtmp.bv_len ? vtmp.bv_val : "" );
@@ -415,6 +423,10 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len = atmp.bv_len + vtmp.bv_len
+ ( sizeof("(<=)") - 1 );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
atmp.bv_val, vtmp.bv_len ? vtmp.bv_val : "" );
@@ -432,6 +444,10 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len = atmp.bv_len + vtmp.bv_len
+ ( sizeof("(~=)") - 1 );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
atmp.bv_val, vtmp.bv_len ? vtmp.bv_val : "" );
@@ -450,17 +466,27 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len = atmp.bv_len + ( STRLENOF( "(=*)" ) );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 128, memctx ); /* FIXME: why 128 ? */
+ if ( !fstr->bv_val ) {
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
atmp.bv_val );
if ( !BER_BVISNULL( &f->f_sub_initial ) ) {
+ char *tmp;
+
len = fstr->bv_len;
filter_escape_value_x( &f->f_sub_initial, &vtmp, memctx );
fstr->bv_len += vtmp.bv_len;
- fstr->bv_val = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ tmp = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ if ( !tmp ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
+ fstr->bv_val = tmp;
snprintf( &fstr->bv_val[len - 2], vtmp.bv_len + 3,
/* "(attr=" */ "%s*)",
@@ -471,11 +497,18 @@ ldap_back_int_filter_map_rewrite(
if ( f->f_sub_any != NULL ) {
for ( i = 0; !BER_BVISNULL( &f->f_sub_any[i] ); i++ ) {
+ char *tmp;
+
len = fstr->bv_len;
filter_escape_value_x( &f->f_sub_any[i], &vtmp, memctx );
fstr->bv_len += vtmp.bv_len + 1;
- fstr->bv_val = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ tmp = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ if ( !tmp ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
+ fstr->bv_val = tmp;
snprintf( &fstr->bv_val[len - 1], vtmp.bv_len + 3,
/* "(attr=[init]*[any*]" */ "%s*)",
@@ -485,12 +518,19 @@ ldap_back_int_filter_map_rewrite(
}
if ( !BER_BVISNULL( &f->f_sub_final ) ) {
+ char *tmp;
+
len = fstr->bv_len;
filter_escape_value_x( &f->f_sub_final, &vtmp, memctx );
fstr->bv_len += vtmp.bv_len;
- fstr->bv_val = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ tmp = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ if ( !tmp ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
+ fstr->bv_val = tmp;
snprintf( &fstr->bv_val[len - 1], vtmp.bv_len + 3,
/* "(attr=[init*][any*]" */ "%s)",
@@ -510,6 +550,9 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len = atmp.bv_len + ( STRLENOF( "(=*)" ) );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
atmp.bv_val );
@@ -537,6 +580,10 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len += vtmp.bv_len;
fstr->bv_val = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
snprintf( &fstr->bv_val[len-1], vtmp.bv_len + 2,
/*"("*/ "%s)", vtmp.bv_len ? vtmp.bv_val : "" );
@@ -565,6 +612,10 @@ ldap_back_int_filter_map_rewrite(
( !BER_BVISEMPTY( &f->f_mr_rule_text ) ? f->f_mr_rule_text.bv_len + 1 : 0 ) +
vtmp.bv_len + ( STRLENOF( "(:=)" ) );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
atmp.bv_val,
diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c
index 438b324350..af4ae14397 100644
--- a/servers/slapd/back-meta/search.c
+++ b/servers/slapd/back-meta/search.c
@@ -1301,7 +1301,7 @@ really_bad:;
for ( cnt = 0; references[ cnt ]; cnt++ )
;
- rs->sr_ref = ber_memalloc_x( sizeof( struct berval ) * ( cnt + 1 ),
+ rs->sr_ref = op->o_tmpalloc( sizeof( struct berval ) * ( cnt + 1 ),
op->o_tmpmemctx );
for ( cnt = 0; references[ cnt ]; cnt++ ) {
@@ -1456,7 +1456,7 @@ really_bad:;
for ( cnt = 0; references[ cnt ]; cnt++ )
;
- sr_ref = ber_memalloc_x( sizeof( struct berval ) * ( cnt + 1 ),
+ sr_ref = op->o_tmpalloc( sizeof( struct berval ) * ( cnt + 1 ),
op->o_tmpmemctx );
for ( cnt = 0; references[ cnt ]; cnt++ ) {

30
bugfix-openldap-fix-implicit-function-declaration.patch Normal file
View File

@ -0,0 +1,30 @@
From 57b7003a6473206e2526dcc91c7ddb357c7e66de Mon Sep 17 00:00:00 2001
From: Sergei Trofimovich <slyfox@gentoo.org>
Date: Mon, 19 Jun 2017 21:48:05 +0100
Subject: [PATCH] thr_posix.c: fix implicit function declaration for
'pthread_setconcurrency'
thr_posix.c: In function 'ldap_pvt_thread_set_concurrency':
thr_posix.c:96:9: error: implicit declaration of function 'pthread_setconcurrency'
return pthread_setconcurrency( n );
^~~~~~~~~~~~~~~~~~~~~~
pthread_setcanceltype
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
---
libraries/libldap_r/thr_posix.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libraries/libldap_r/thr_posix.c b/libraries/libldap_r/thr_posix.c
index 35bde07327..e0368cc1eb 100644
--- a/libraries/libldap_r/thr_posix.c
+++ b/libraries/libldap_r/thr_posix.c
@@ -14,6 +14,8 @@
* <http://www.OpenLDAP.org/license.html>.
*/
+#define _XOPEN_SOURCE 500 /* For pthread_setconcurrency() on glibc */
+
#include "portable.h"
#if defined( HAVE_PTHREADS )

BIN
openldap-2.4.46.tgz
View File

Binary file not shown.

BIN
openldap-2.4.50.tgz Normal file
View File

Binary file not shown.

55
openldap-ldapi-sasl.patch
View File

@ -1,55 +0,0 @@
From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 7 May 2013 17:02:57 +0200
Subject: [PATCH] LDAPI SASL fix
Resolves: #960222
---
libraries/libldap/cyrus.c | 19 ++++++++++++++++---
1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index 28c241b..a9acf36 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -394,6 +394,8 @@ ldap_int_sasl_bind(
struct berval ccred = BER_BVNULL;
int saslrc, rc;
unsigned credlen;
+ char my_hostname[HOST_NAME_MAX + 1];
+ int free_saslhost = 0;
Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
mechs ? mechs : "<null>", 0, 0 );
@@ -454,14 +456,25 @@ ldap_int_sasl_bind(
/* If we don't need to canonicalize just use the host
* from the LDAP URI.
+ * Always use the result of gethostname() for LDAPI.
*/
- if ( nocanon )
+ if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
+ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
+ rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
+ if (rc == 0) {
+ saslhost = my_hostname;
+ } else {
+ saslhost = "localhost";
+ }
+ } else if ( nocanon )
saslhost = ld->ld_defconn->lconn_server->lud_host;
- else
+ else {
saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
"localhost" );
+ free_saslhost = 1;
+ }
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
- if ( !nocanon )
+ if ( free_saslhost )
LDAP_FREE( saslhost );
}
--
1.7.11.7

69
openldap.spec
View File

@ -1,8 +1,8 @@
%global systemctl_bin /usr/bin/systemctl %global systemctl_bin /usr/bin/systemctl
Name: openldap Name: openldap
Version: 2.4.46 Version: 2.4.50
Release: 16 Release: 1
Summary: LDAP support libraries Summary: LDAP support libraries
License: OpenLDAP License: OpenLDAP
URL: https://www.openldap.org/ URL: https://www.openldap.org/
@ -24,7 +24,6 @@ Patch17: openldap-allop-overlay.patch
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585 # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
Patch20: openldap-ldapi-sasl.patch
Patch21: openldap-openssl-allow-ssl3.patch Patch21: openldap-openssl-allow-ssl3.patch
Patch90: check-password-makefile.patch Patch90: check-password-makefile.patch
Patch91: check-password.patch Patch91: check-password.patch
@ -41,35 +40,9 @@ Patch6009: bugfix-openldap-support-tlsv1-and-later.patch
Patch6010: bugfix-openldap-temporary-ssl-thr-init-race.patch Patch6010: bugfix-openldap-temporary-ssl-thr-init-race.patch
Patch6011: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch Patch6011: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch
Patch6012: Fixup-for-binary-config-attrs.patch Patch6012: Fixup-for-binary-config-attrs.patch
Patch6013: ITS-8864-Fix-ber_realloc-after-a-partial-ber_flush.patch Patch6013: bugfix-openldap-ITS9160-OOM-Handing.patch
Patch6014: bugfix-openldap-fix-implicit-function-declaration.patch
Patch6014: ITS-8840-Fix-domainScope-control-to-ensure-the-contr.patch Patch6015: bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
Patch6015: ITS-8843-check-for-NULL-modlist.patch
Patch6016: Fix-quoting-example.patch
Patch6017: ITS-8667-Do-not-finish-glue-initialisation-in-tool-m.patch
Patch6018: ITS-8842-Do-some-printability-checks-on-the-dc-RDN.patch
Patch6019: ITS-8909-fix-authz-policy-all-condition.patch
Patch6020: ITS-8909-additional-tweak.patch
Patch6021: Fix-index-delete.patch
Patch6022: ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch
Patch6023: ITS-8918-fix-typo.patch
Patch6024: ITS-8923-fix-dyngroup-NO_SUCH_OBJECT-error-handling.patch
Patch6025: ITS-8878-Include-the-first-character-in-the-transfor.patch
Patch6026: ITS-8752-maybe-related.patch
Patch6027: ITS-8932-check-rdnNormalize-success.patch
Patch6028: ITS-8727-plug-ber-leaks.patch
Patch6029: ITS-8948-Fix-BDB-lib-to-only-be-linked-with-static-b.patch
Patch6030: ITS-8663-Fix-memberof-SLAP_CONFIG_EMIT.patch
Patch6031: ITS-8472-only-do-index-cleanup-if-DB-is-running.patch
Patch6032: ITS-8957-Fix-ASYNC-TLS.patch
Patch6033: ITS-8980-fix-async-connections-with-non-blocking-TLS.patch
Patch6034: CVE-2019-13057-1.patch
Patch6035: CVE-2019-13057-2.patch
Patch6036: CVE-2019-13057-3.patch
Patch6037: CVE-2019-13057-4.patch
Patch6038: CVE-2019-13565.patch
Patch6039: 0001-openldap-bugfix-make-test.patch
Patch6040: CVE-2020-12243.patch
BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
@ -141,7 +114,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch5 -p1 %patch5 -p1
%patch17 -p1 %patch17 -p1
%patch19 -p1 %patch19 -p1
%patch20 -p1
%patch21 -p1 %patch21 -p1
%patch6000 -p1 %patch6000 -p1
@ -160,31 +132,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch6013 -p1 %patch6013 -p1
%patch6014 -p1 %patch6014 -p1
%patch6015 -p1 %patch6015 -p1
%patch6016 -p1
%patch6017 -p1
%patch6018 -p1
%patch6019 -p1
%patch6020 -p1
%patch6021 -p1
%patch6022 -p1
%patch6023 -p1
%patch6024 -p1
%patch6025 -p1
%patch6026 -p1
%patch6027 -p1
%patch6028 -p1
%patch6029 -p1
%patch6030 -p1
%patch6031 -p1
%patch6032 -p1
%patch6033 -p1
%patch6034 -p1
%patch6035 -p1
%patch6036 -p1
%patch6037 -p1
%patch6038 -p1
%patch6039 -p1
%patch6040 -p1
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
@ -467,6 +414,12 @@ popd
%doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
%changelog %changelog
* Mon Jun 29 2020 zhangxingliang<zhangxingliang3@huawei.com> - 2.4.50-1
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:update to 2.4.50
* Thu May 14 2020 lijingyu <lijingyu15@huawei.com> - 2.4.46-16 * Thu May 14 2020 lijingyu <lijingyu15@huawei.com> - 2.4.46-16
- Type:cves - Type:cves
- ID:CVE-2020-12243 - ID:CVE-2020-12243