From 1bbbb3e5049c1aa0650546efab87ed2f1ea59637 Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Jan 06 2012 00:12:15 +0000 Subject: Ticket #162 - Infinite loop / spin inside strcmpi_fast, acl_read_access_allowed_on_attr, server DoS https://fedorahosted.org/389/ticket/162 Resolves: ticket 162 Bug Description: Infinite loop / spin inside strcmpi_fast, acl_read_access_allowed_on_attr, server DoS Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: Cannot use continue - have to go to the end of the loop and get the next attribute - added a label for nextattr and use goto nextattr instead of continue. Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: no --- diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c index 4a82717..b838bc5 100644 --- a/ldap/servers/plugins/acl/acllas.c +++ b/ldap/servers/plugins/acl/acllas.c @@ -2450,7 +2450,9 @@ acllas__handle_group_entry (Slapi_Entry* e, void *callback_data) } else if (strcasecmp ( attrType, type_memberURL) == 0) { char *memberURL, *savURL; - if (!info->userDN) continue; + if (!info->userDN) { + goto nextattr; /* cannot evaulate memberURL with no userDN - go to next group attribute */ + } i= slapi_attr_first_value ( currAttr,&sval ); while ( i != -1 ) { @@ -2487,13 +2489,14 @@ acllas__handle_group_entry (Slapi_Entry* e, void *callback_data) } i = slapi_attr_next_value ( currAttr, i, &sval ); } - /* Evaluate Fortezza groups */ + /* Evaluate Certificate groups */ } else if ((strcasecmp (attrType, type_memberCert) == 0) ) { /* Do we have the certificate around */ if (!info->clientCert) { slapi_log_error( SLAPI_LOG_ACL, plugin_name, " acllas__handle_group_entry:Client Cert missing\n" ); - continue; + /* cannot evaulate cert membership without cert - go to next attribute */ + goto nextattr; } i = slapi_attr_first_value ( currAttr,&sval ); while ( i != -1 ) { @@ -2507,7 +2510,8 @@ acllas__handle_group_entry (Slapi_Entry* e, void *callback_data) i = slapi_attr_next_value ( currAttr, i, &sval ); } } - + +nextattr: attrType = NULL; /* get the next attr */ slapi_entry_next_attr ( e, currAttr, &nextAttr );