From ef1cb3d053888274a8b7d0f59c8392427b01e783 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Mar 01 2011 23:40:00 +0000
Subject: Bug 680555 - ns-slapd segfaults if I have more than 100 DBs


https://bugzilla.redhat.com/show_bug.cgi?id=680555
Resolves: bug 680555
Bug Description: ns-slapd segfaults if I have more than 100 DBs
Reviewed by: nhosoi, nkinder (Thanks!)
Branch: 389-ds-base-1.2.8
Fix Description: 1) slapi_mapping_tree_select_all() does
be_list[BE_LIST_SIZE] = NULL
so be_list must be of size BE_LIST_SIZE+1
2) loop counter should check be_index, not index, to see if the loop is
completed
3) if the search is going to hit more backends than we can process, just
return ADMINLIMIT_EXCEEDED with an explanatory error message
4) increase the BE_LIST_SIZE to 1000
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 6c4eac9ca642b99d7664d3a6b04067c3091f5694)

---

diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c
index 0f63560..898fe93 100644
--- a/ldap/servers/slapd/mapping_tree.c
+++ b/ldap/servers/slapd/mapping_tree.c
@@ -2178,7 +2178,7 @@ int slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list,
 
     ret = slapi_mtn_get_first_be(node_list, &node, pb, &be, &index, &referral, errorbuf, scope);
 
-    while ((node) &&(index < BE_LIST_SIZE))
+    while ((node) && (be_index <= BE_LIST_SIZE))
     {
         if (ret != LDAP_SUCCESS)
         {
@@ -2204,7 +2204,15 @@ int slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list,
         {
             if (be && !be_isdeleted(be))
             {
+                if (be_index == BE_LIST_SIZE) { /* error - too many backends */
+                    ret_code = LDAP_ADMINLIMIT_EXCEEDED;
+                    PR_snprintf(errorbuf, BUFSIZ-1,
+                                "Error: too many backends match search request - cannot proceed");
+                    slapi_log_error(SLAPI_LOG_FATAL, NULL, "%s\n", errorbuf);
+                    break;
+                } else {
                     be_list[be_index++]=be;
+                }
             }
 
             if (referral)
diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c
index b3e2c45..d398cd6 100644
--- a/ldap/servers/slapd/opshared.c
+++ b/ldap/servers/slapd/opshared.c
@@ -192,8 +192,8 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
   int             scope;
   Slapi_Backend   *be = NULL;
   Slapi_Backend   *be_single = NULL;
-  Slapi_Backend   *be_list[BE_LIST_SIZE];
-  Slapi_Entry     *referral_list[BE_LIST_SIZE];
+  Slapi_Backend   *be_list[BE_LIST_SIZE+1];
+  Slapi_Entry     *referral_list[BE_LIST_SIZE+1];
   char            ebuf[ BUFSIZ ];
   char            attrlistbuf[ 1024 ], *attrliststr, **attrs = NULL;
   int             rc = 0;
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index ee02a26..a19e5c8 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -299,7 +299,7 @@ typedef void	(*VFP0)(void);
 #define EGG_OBJECT_CLASS		"directory-team-extensible-object"
 #define EGG_FILTER				"(objectclass=directory-team-extensible-object)"
 
-#define BE_LIST_SIZE 100 /* used by mapping tree code to hold be_list stuff */
+#define BE_LIST_SIZE 1000 /* used by mapping tree code to hold be_list stuff */
 
 #define	REPL_DBTYPE		"ldbm"
 #define	REPL_DBTAG		"repl"