The permissions on this repository are being updated. This may take a while.
During this time, you or some of the project's contributors may not be able
to push to this repository.
ea0578bBug 1024552 DoS due to improper handling of ger attr searches
Bug 1024552 DoS due to improper handling of ger attr searches
https://bugzilla.redhat.com/show_bug.cgi?id=1024552
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: The traversal of the attr list looking for GER objectclasses
was modifying the same attribute twice, removing the "@" from it. The second
time, since there was no "@" in the string, the strchr would return NULL, and
the code would not check for it.
The code was simplified and rewritten to use charray_merge_nodup
to build the gerattrs list with unique objectclass values, which I believe was
the intention of the original code. I also added some error checking to look
for invalid attributes like "@name" "name@" and "name@name@name".
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 3a1ce9e326d9788be233f7edd9d7bad20efb9690)
(cherry picked from commit 47f1769dbd1618d0385fb3e5441219f9c280486b)