From 82625ebf670c0f234e8bcbf18420e84b325e359e Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Jun 23 2010 17:48:24 +0000
Subject: Bug 603942 - null deref in _ger_parse_control() for subjectdn


https://bugzilla.redhat.com/show_bug.cgi?id=603942
Resolves: bug 603942
Bug Description:  null deref in _ger_parse_control() for subjectdn
Reviewed by: nkinder (Thanks!)
Branch: Directory_Server_8_2_Branch
Fix Description: Needed to pass &orig to ber_scanf 'a' instead of orig.  Also,check for NULL before doing strlen(orig).
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no

---

diff --git a/ldap/servers/plugins/acl/acleffectiverights.c b/ldap/servers/plugins/acl/acleffectiverights.c
index acf856c..013c088 100644
--- a/ldap/servers/plugins/acl/acleffectiverights.c
+++ b/ldap/servers/plugins/acl/acleffectiverights.c
@@ -244,7 +244,7 @@ _ger_parse_control (
 			return LDAP_OPERATIONS_ERROR;
 		}
 		/* "a" means to allocate storage as needed for octet string */
-		if ( ber_scanf (ber, "a", orig) == LBER_ERROR )
+		if ( ber_scanf (ber, "a", &orig) == LBER_ERROR )
 		{
 			aclutil_str_append ( errbuf, "get-effective-rights: invalid ber tag in the subject" );
 			slapi_log_error (SLAPI_LOG_FATAL, plugin_name, "%s\n", *errbuf );
@@ -259,7 +259,7 @@ _ger_parse_control (
 	 * (see section 9 of RFC 2829) only. It also only supports the "dnAuthzId"
 	 * flavor, which looks like "dn:<DN>" where null <DN> is for anonymous.
 	 */
-	subjectndnlen = strlen(orig);
+	subjectndnlen = orig ? strlen(orig) : 0;
 	if ( NULL == orig || subjectndnlen < 3 || strncasecmp ( "dn:", orig, 3 ) != 0 )
 	{
 		aclutil_str_append ( errbuf, "get-effective-rights: subject is not dnAuthzId" );