c8ec6e5 Ticket 49969 - DOS caused by malformed search operation (security fix)

Authored and Committed by mreynolds 5 years ago
    Ticket 49969 - DOS caused by malformed search operation (security fix)
    Bug Description:  There are two issues here.  The one in we don't cloase a
                      connection when an invalid unbind occurs.  The other is a
                      search request passing 8MB of NULL bytes as search attributes
                      will keep one thread busy for a long time.  The reason is
                      that the attr array is copied/normalized to the searchattrs in
                      the search operation and does this using charray_add() which
                      iterates thru the array to determine the size of the array and
                      then allocate one element more.  So this means we iterate 8
                      million times an array with a then average size of 4 million
    Fix Description:  We already have traversed the array once and know the size,
                      so we can allocate the needed size once and only copy the element.
                      In addition we check for the kind of degenerated attributes ""
                      as used in this test scenario.  So the fix will reject invalid
                      attr lists and improve performance for valid ones
    Author: Ludwig Krispens <lkrispen@redhat.com>
    Reviewed by: tbordaz & mreynolds (Thanks!)
    (cherry picked from commit a49bd03d6a6debe15be1a70d7109712fba691b8b)
file modified
+14 -2
file modified
+2 -2