diff --git a/0001-openldap-bugfix-make-test.patch b/0001-openldap-bugfix-make-test.patch deleted file mode 100644 index 2911bfcdb6c369712b43be8fb0967b223c9e1f52..0000000000000000000000000000000000000000 --- a/0001-openldap-bugfix-make-test.patch +++ /dev/null @@ -1,95 +0,0 @@ -From c88b4c85db310ecd0f2f5bb02478cc56f5590d53 Mon Sep 17 00:00:00 2001 -From: Quanah Gibson-Mount -Date: Wed, 3 Oct 2018 20:28:54 +0000 -Subject: [PATCH] Update test044 to catch ITS#8923 - -DTS/AR: -reason: ---- - openldap-2.4.46/tests/scripts/test044-dynlist | 30 +++++++++++++++++++++++++++ - openldap-2.4.46/tests/scripts/defines.sh | 1 + - openldap-2.4.46/tests/scripts/test044-dynlist | 8 ++++---- - 3 file changed, 35 insertions(+), 4 deletions(-) - -diff --git a/tests/scripts/test044-dynlist b/tests/scripts/test044-dynlist -index 07b65c5..4c6390e 100755 ---- a/tests/scripts/test044-dynlist -+++ b/tests/scripts/test044-dynlist -@@ -468,6 +468,36 @@ case $RC in - esac - echo "" >> $SEARCHOUT - -+CMPDN="$BADBJORNSDN" -+echo "Testing list compare (should return FALSE)..." -+echo "# Testing list compare... (should return FALSE)" >> $SEARCHOUT -+$LDAPCOMPARE -h $LOCALHOST -p $PORT1 \ -+ "cn=Dynamic List of Members,$LISTDN" "member:$CMPDN" \ -+ >> $SEARCHOUT 2>&1 -+RC=$? -+case $RC in -+5) -+ echo "ldapcompare returned FALSE ($RC)" -+ ;; -+6) -+ echo "ldapcompare returned TRUE ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+ ;; -+0) -+ echo "ldapcompare returned success ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit -1 -+ ;; -+*) -+ echo "ldapcompare failed ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+ ;; -+esac -+echo "" >> $SEARCHOUT -+ -+ - CMPDN="$BJORNSDN" - echo "Testing list compare (should return FALSE)..." - echo "# Testing list compare (should return FALSE)..." >> $SEARCHOUT - - -diff --git a/openldap-2.4.46/tests/scripts/defines.sh b/openldap-2.4.46/tests/scripts/defines.sh -index 97cf08f..7d62023 100755 ---- a/tests/scripts/defines.sh -+++ b/tests/scripts/defines.sh -@@ -261,6 +261,7 @@ UPDATEDN="cn=Replica,$BASEDN" - PASSWD=secret - BABSDN="cn=Barbara Jensen,ou=Information Technology DivisioN,ou=People,$BASEDN" - BJORNSDN="cn=Bjorn Jensen,ou=Information Technology DivisioN,ou=People,$BASEDN" -+BADBJORNSDN="cn=Bjorn JensenNotReally,ou=Information Technology DivisioN,ou=People,$BASEDN" - JAJDN="cn=James A Jones 1,ou=Alumni Association,ou=People,$BASEDN" - JOHNDDN="cn=John Doe,ou=Information Technology Division,ou=People,$BASEDN" - MELLIOTDN="cn=Mark Elliot,ou=Alumni Association,ou=People,$BASEDN" - - -diff --git a/tests/scripts/test044-dynlist b/tests/scripts/test044-dynlist -index 4c6390e..8ace1a8 100755 ---- a/tests/scripts/test044-dynlist -+++ b/tests/scripts/test044-dynlist -@@ -448,13 +448,13 @@ $LDAPCOMPARE -h $LOCALHOST -p $PORT1 \ - RC=$? - case $RC in - 5) -- echo "ldapcompare returned FALSE ($RC)" -- ;; --6) -- echo "ldapcompare returned TRUE ($RC)!" -+ echo "ldapcompare returned FALSE ($RC)!" - test $KILLSERVERS != no && kill -HUP $KILLPIDS - exit $RC - ;; -+6) -+ echo "ldapcompare returned TRUE ($RC)" -+ ;; - 0) - echo "ldapcompare returned success ($RC)!" - test $KILLSERVERS != no && kill -HUP $KILLPIDS --- -1.8.3.1 - diff --git a/CVE-2019-13057-1.patch b/CVE-2019-13057-1.patch deleted file mode 100644 index 4444eec668069db4cbdf03bfc9fa05cf66082017..0000000000000000000000000000000000000000 --- a/CVE-2019-13057-1.patch +++ /dev/null @@ -1,35 +0,0 @@ -From f120d0e461178b5974694876ba2d2bdba4f7d122 Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Wed, 19 Jun 2019 12:29:02 +0100 -Subject: [PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs. - -Treat as normal user for any other DB. ---- - servers/slapd/saslauthz.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c -index 64c7053..b3727ea 100644 ---- a/servers/slapd/saslauthz.c -+++ b/servers/slapd/saslauthz.c -@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op, - goto DONE; - } - -- /* Allow the manager to authorize as any DN. */ -- if( op->o_conn->c_authz_backend && -- be_isroot_dn( op->o_conn->c_authz_backend, authcDN )) -+ /* Allow the manager to authorize as any DN in its own DBs. */ - { -- rc = LDAP_SUCCESS; -- goto DONE; -+ Backend *zbe = select_backend( authzDN, 1 ); -+ if ( zbe && be_isroot_dn( zbe, authcDN )) { -+ rc = LDAP_SUCCESS; -+ goto DONE; -+ } - } - - /* Check source rules */ --- -1.7.10.4 diff --git a/CVE-2019-13057-2.patch b/CVE-2019-13057-2.patch deleted file mode 100644 index 394d2d9c964d5adf83108df89006893555991dff..0000000000000000000000000000000000000000 --- a/CVE-2019-13057-2.patch +++ /dev/null @@ -1,102 +0,0 @@ -From ce5869c89a0cf1a9ec23bde014cb4c11f4d0360c Mon Sep 17 00:00:00 2001 -From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= -Date: Wed, 19 Jun 2019 18:47:32 +0200 -Subject: [PATCH] ITS#9038 Update test028 to test this is enforced - ---- - tests/data/idassert.out | 5 +++++ - tests/data/slapd-idassert.conf | 1 + - tests/data/test-idassert1.ldif | 6 ++++++ - tests/scripts/test028-idassert | 24 ++++++++++++++++++++++++ - 4 files changed, 36 insertions(+) - -diff --git a/tests/data/idassert.out b/tests/data/idassert.out -index 53d76bb..fa51c25 100644 ---- a/tests/data/idassert.out -+++ b/tests/data/idassert.out -@@ -4,6 +4,11 @@ objectClass: dcObject - o: Example, Inc. - dc: example - -+dn: cn=Manager,o=Example,c=US -+objectClass: inetOrgPerson -+cn: Manager -+sn: Parson -+ - dn: ou=People,o=Example,c=US - objectClass: organizationalUnit - ou: People -diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf -index 88d66a3..561c5cc 100644 ---- a/tests/data/slapd-idassert.conf -+++ b/tests/data/slapd-idassert.conf -@@ -36,6 +36,7 @@ argsfile @TESTDIR@/slapd.1.args - ####################################################################### - - authz-policy both -+authz-regexp "^uid=manager,.+" "cn=Manager,dc=example,dc=com" - authz-regexp "^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)" - authz-regexp "^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)" - authz-regexp "^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)" -diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif -index 063d6ec..3ccbd1a 100644 ---- a/tests/data/test-idassert1.ldif -+++ b/tests/data/test-idassert1.ldif -@@ -4,6 +4,12 @@ objectClass: dcObject - o: Example, Inc. - dc: example - -+dn: cn=Manager,dc=example,dc=com -+objectClass: inetOrgPerson -+cn: Manager -+sn: Parson -+userPassword: secret -+ - dn: ou=People,dc=example,dc=com - objectClass: organizationalUnit - ou: People -diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert -index b1e1674..9e5e107 100755 ---- a/tests/scripts/test028-idassert -+++ b/tests/scripts/test028-idassert -@@ -191,6 +191,17 @@ if test $RC != 0 ; then - exit $RC - fi - -+AUTHZID="u:it/jaj" -+echo "Checking another DB's rootdn can't assert identity from another DB..." -+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID" -+ -+RC=$? -+if test $RC != 1 ; then -+ echo "ldapwhoami should have failed ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ - ID="uid=jaj,ou=People,dc=example,dc=it" - BASE="o=Example,c=US" - echo "Testing ldapsearch as $ID for \"$BASE\"..." -@@ -231,6 +242,19 @@ if test $USE_SASL != "no" ; then - exit $RC - fi - -+ ID="manager" -+ AUTHZID="u:it/jaj" -+ echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..." -+ $LDAPSASLWHOAMI -h $LOCALHOST -p $PORT1 \ -+ -Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID -+ -+ RC=$? -+ if test $RC != 50 ; then -+ echo "ldapwhoami should have failed ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+ fi -+ - echo "Filtering ldapsearch results..." - $LDIFFILTER < $SEARCHOUT > $SEARCHFLT - echo "Filtering original ldif used to create database..." --- -1.7.10.4 - diff --git a/CVE-2019-13057-3.patch b/CVE-2019-13057-3.patch deleted file mode 100644 index a1317d321a7bfe6d024a11a332fb0fd98ab84b3b..0000000000000000000000000000000000000000 --- a/CVE-2019-13057-3.patch +++ /dev/null @@ -1,25 +0,0 @@ -From c064d45c5d4551f2321276c3a5ed25b1c08e115d Mon Sep 17 00:00:00 2001 -From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= -Date: Mon, 24 Jun 2019 16:37:23 +0200 -Subject: [PATCH] ITS#9038 Fix typo in test script - ---- - tests/scripts/test028-idassert | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert -index 9e5e107..564a615 100755 ---- a/tests/scripts/test028-idassert -+++ b/tests/scripts/test028-idassert -@@ -199,7 +199,7 @@ RC=$? - if test $RC != 1 ; then - echo "ldapwhoami should have failed ($RC)!" - test $KILLSERVERS != no && kill -HUP $KILLPIDS -- exit $RC -+ exit 1 - fi - - ID="uid=jaj,ou=People,dc=example,dc=it" --- -1.7.10.4 - diff --git a/CVE-2019-13057-4.patch b/CVE-2019-13057-4.patch deleted file mode 100644 index 99086c6044fa25e975c4d88519697d1690442802..0000000000000000000000000000000000000000 --- a/CVE-2019-13057-4.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 0832ec02f0679cf0862dca2cca5280be1e4fdb37 Mon Sep 17 00:00:00 2001 -From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= -Date: Thu, 27 Jun 2019 00:45:29 +0200 -Subject: [PATCH] ITS#9038 Another test028 typo - ---- - tests/scripts/test028-idassert | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert -index 564a615..dacd68d 100755 ---- a/tests/scripts/test028-idassert -+++ b/tests/scripts/test028-idassert -@@ -252,7 +252,7 @@ if test $USE_SASL != "no" ; then - if test $RC != 50 ; then - echo "ldapwhoami should have failed ($RC)!" - test $KILLSERVERS != no && kill -HUP $KILLPIDS -- exit $RC -+ exit 1 - fi - - echo "Filtering ldapsearch results..." --- -1.7.10.4 - diff --git a/CVE-2019-13565.patch b/CVE-2019-13565.patch deleted file mode 100644 index 1c11d63bd20174419ec798db023ba4c5af37b54f..0000000000000000000000000000000000000000 --- a/CVE-2019-13565.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 744a46a1acb93798f4e027290191d6a11dd4c18c Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Wed, 10 Jul 2019 21:29:39 +0100 -Subject: [PATCH] ITS#9052 zero out sasl_ssf in connection_init - ---- - servers/slapd/connection.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c -index b85bcb4..704067c 100644 ---- a/servers/slapd/connection.c -+++ b/servers/slapd/connection.c -@@ -554,7 +554,7 @@ Connection * connection_init( - c->c_close_reason = "?"; /* should never be needed */ - - c->c_ssf = c->c_transport_ssf = ssf; -- c->c_tls_ssf = 0; -+ c->c_tls_ssf = c->c_sasl_ssf = 0; - - #ifdef HAVE_TLS - if ( flags & CONN_IS_TLS ) { --- -1.7.10.4 - diff --git a/Fix-index-delete.patch b/Fix-index-delete.patch deleted file mode 100644 index 8f38fba95546d0015b382ecee93c5da45221c0fa..0000000000000000000000000000000000000000 --- a/Fix-index-delete.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 86bd2da6ac69acc2df956260d081d03421116828 Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Fri, 31 Aug 2018 14:28:22 +0100 -Subject: [PATCH 034/109] Fix index delete - -Deleting all indices should also reset default mask ---- - servers/slapd/back-bdb/config.c | 3 ++- - servers/slapd/back-mdb/config.c | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/servers/slapd/back-bdb/config.c b/servers/slapd/back-bdb/config.c -index a1cd0d605..24c4753ba 100644 ---- a/servers/slapd/back-bdb/config.c -+++ b/servers/slapd/back-bdb/config.c -@@ -602,10 +602,11 @@ bdb_cf_gen( ConfigArgs *c ) - if ( c->valx == -1 ) { - int i; - -- /* delete all (FIXME) */ -+ /* delete all */ - for ( i = 0; i < bdb->bi_nattrs; i++ ) { - bdb->bi_attrs[i]->ai_indexmask |= BDB_INDEX_DELETING; - } -+ bdb->bi_defaultmask = 0; - bdb->bi_flags |= BDB_DEL_INDEX; - c->cleanup = bdb_cf_cleanup; - -diff --git a/servers/slapd/back-mdb/config.c b/servers/slapd/back-mdb/config.c -index d4c6f96aa..ded7a087c 100644 ---- a/servers/slapd/back-mdb/config.c -+++ b/servers/slapd/back-mdb/config.c -@@ -423,10 +423,11 @@ mdb_cf_gen( ConfigArgs *c ) - if ( c->valx == -1 ) { - int i; - -- /* delete all (FIXME) */ -+ /* delete all */ - for ( i = 0; i < mdb->mi_nattrs; i++ ) { - mdb->mi_attrs[i]->ai_indexmask |= MDB_INDEX_DELETING; - } -+ mdb->mi_defaultmask = 0; - mdb->mi_flags |= MDB_DEL_INDEX; - c->cleanup = mdb_cf_cleanup; - --- -2.19.1 - diff --git a/Fix-quoting-example.patch b/Fix-quoting-example.patch deleted file mode 100644 index 875f937dd87047bc7a5f1cb68ea0d6a49642479c..0000000000000000000000000000000000000000 --- a/Fix-quoting-example.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 4626a7d0edf687c63452dc671a2fbb7f44aa64b8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= -Date: Thu, 14 Jun 2018 16:08:36 +0100 -Subject: [PATCH 018/109] Fix quoting example - ---- - doc/man/man5/ldap.conf.5 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 -index 0c8ec8a0e..8c67bc0ae 100644 ---- a/doc/man/man5/ldap.conf.5 -+++ b/doc/man/man5/ldap.conf.5 -@@ -85,7 +85,7 @@ For example, - # Right - DN syntax needs quoting for Example, Inc: - BASE ou=IT staff,o="Example, Inc",c=US - # or: -- BASE ou=IT staff,o=Example2C Inc,c=US -+ BASE ou=IT staff,o=Example\\2C Inc,c=US - - # Wrong - comment on same line as option: - DEREF never # Never follow aliases --- -2.19.1 - diff --git a/ITS-8472-only-do-index-cleanup-if-DB-is-running.patch b/ITS-8472-only-do-index-cleanup-if-DB-is-running.patch deleted file mode 100644 index f8a34848b2165ffcd449ff8e314ba61190e29101..0000000000000000000000000000000000000000 --- a/ITS-8472-only-do-index-cleanup-if-DB-is-running.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 55daae4afc3cd2ee6dcbd97a73260113935d2676 Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Fri, 25 Jan 2019 18:11:58 +0000 -Subject: [PATCH 096/109] ITS#8472 only do index cleanup if DB is running - ---- - servers/slapd/back-mdb/config.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/servers/slapd/back-mdb/config.c b/servers/slapd/back-mdb/config.c -index df9db5edd..c404e58e7 100644 ---- a/servers/slapd/back-mdb/config.c -+++ b/servers/slapd/back-mdb/config.c -@@ -260,6 +260,7 @@ mdb_cf_cleanup( ConfigArgs *c ) - } - - if ( mdb->mi_flags & MDB_OPEN_INDEX ) { -+ mdb->mi_flags ^= MDB_OPEN_INDEX; - rc = mdb_attr_dbs_open( c->be, NULL, &c->reply ); - if ( rc ) - rc = LDAP_OTHER; -@@ -631,8 +632,8 @@ mdb_cf_gen( ConfigArgs *c ) - c->argc - 1, &c->argv[1], &c->reply); - - if( rc != LDAP_SUCCESS ) return 1; -- mdb->mi_flags |= MDB_OPEN_INDEX; - if ( mdb->mi_flags & MDB_IS_OPEN ) { -+ mdb->mi_flags |= MDB_OPEN_INDEX; - c->cleanup = mdb_cf_cleanup; - if ( !mdb->mi_index_task ) { - /* Start the task as soon as we finish here. Set a long --- -2.19.1 - diff --git a/ITS-8663-Fix-memberof-SLAP_CONFIG_EMIT.patch b/ITS-8663-Fix-memberof-SLAP_CONFIG_EMIT.patch deleted file mode 100644 index 57ffc1d94acf3b93bda3ffe22282c1cbba826f6e..0000000000000000000000000000000000000000 --- a/ITS-8663-Fix-memberof-SLAP_CONFIG_EMIT.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 7553afa6fd524181bd5d7c5fa8808bbd0fc09864 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= -Date: Mon, 14 Jan 2019 11:44:35 +0000 -Subject: [PATCH 086/109] ITS#8663 Fix memberof SLAP_CONFIG_EMIT - ---- - servers/slapd/overlays/memberof.c | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c -index 54c24682a..7e0c8f22b 100644 ---- a/servers/slapd/overlays/memberof.c -+++ b/servers/slapd/overlays/memberof.c -@@ -1895,15 +1895,11 @@ mo_cf_gen( ConfigArgs *c ) - break; - - case MO_MEMBER_AD: -- if ( mo->mo_ad_member != NULL ){ -- value_add_one( &c->rvalue_vals, &mo->mo_ad_member->ad_cname ); -- } -+ c->value_ad = mo->mo_ad_member; - break; - - case MO_MEMBER_OF_AD: -- if ( mo->mo_ad_memberof != NULL ){ -- value_add_one( &c->rvalue_vals, &mo->mo_ad_memberof->ad_cname ); -- } -+ c->value_ad = mo->mo_ad_memberof; - break; - - default: --- -2.19.1 - diff --git a/ITS-8667-Do-not-finish-glue-initialisation-in-tool-m.patch b/ITS-8667-Do-not-finish-glue-initialisation-in-tool-m.patch deleted file mode 100644 index 26d3d02c738a2266e8330ba55a4d3d437d4851cc..0000000000000000000000000000000000000000 --- a/ITS-8667-Do-not-finish-glue-initialisation-in-tool-m.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 8c09d9a132d148ebad1e7f303ae99d357815ffff Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= -Date: Wed, 27 Jun 2018 10:32:04 +0100 -Subject: [PATCH 021/109] ITS#8667 Do not finish glue initialisation in tool - mode unless requested - ---- - servers/slapd/backglue.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/servers/slapd/backglue.c b/servers/slapd/backglue.c -index 53c92448f..c2cfed45c 100644 ---- a/servers/slapd/backglue.c -+++ b/servers/slapd/backglue.c -@@ -1312,7 +1312,7 @@ glue_db_init( - - SLAP_DBFLAGS( be ) |= SLAP_DBFLAG_GLUE_INSTANCE; - -- if ( ga_list ) { -+ if ( ga_list && ( slapMode & SLAP_SERVER_MODE ) ) { - be->bd_info = (BackendInfo *)oi; - glue_sub_attach( 1 ); - } --- -2.19.1 - diff --git a/ITS-8727-plug-ber-leaks.patch b/ITS-8727-plug-ber-leaks.patch deleted file mode 100644 index 70cff8ea5331a96ed6b094840e73741cb331b973..0000000000000000000000000000000000000000 --- a/ITS-8727-plug-ber-leaks.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 11320a9156e1306c251b27443439dc2e1db0107b Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Tue, 17 Jan 2017 11:35:54 +0000 -Subject: [PATCH 076/109] ITS#8727 plug ber leaks - ---- - libraries/libldap/request.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c -index 31145432f..7d2d7a458 100644 ---- a/libraries/libldap/request.c -+++ b/libraries/libldap/request.c -@@ -315,6 +315,7 @@ ldap_send_server_request( - LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex ); - if ( rc == -1 ) { - ld->ld_errno = LDAP_ENCODING_ERROR; -+ ber_free( ber, 1 ); - LDAP_CONN_UNLOCK_IF(m_noconn); - return rc; - } -@@ -334,6 +335,7 @@ ldap_send_server_request( - rc = -1; - } - if ( rc ) { -+ ber_free( ber, 1 ); - LDAP_CONN_UNLOCK_IF(m_noconn); - return rc; - } --- -2.19.1 - diff --git a/ITS-8752-maybe-related.patch b/ITS-8752-maybe-related.patch deleted file mode 100644 index c9fa50e77a360076eefdbf34423e1bfade8dd015..0000000000000000000000000000000000000000 --- a/ITS-8752-maybe-related.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 09aea7d84492dbfe61adf197214f206d99b43469 Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Wed, 5 Dec 2018 10:41:47 +0000 -Subject: [PATCH 062/109] ITS#8752 (maybe related) - -Avoid incremental access to user-supplied bv in dupbv ---- - libraries/liblber/memory.c | 27 ++++++++++++++++----------- - 1 file changed, 16 insertions(+), 11 deletions(-) - -diff --git a/libraries/liblber/memory.c b/libraries/liblber/memory.c -index a99f5044c..aa1d1e123 100644 ---- a/libraries/liblber/memory.c -+++ b/libraries/liblber/memory.c -@@ -482,7 +482,7 @@ struct berval * - ber_dupbv_x( - struct berval *dst, struct berval *src, void *ctx ) - { -- struct berval *new; -+ struct berval *new, tmp; - - if( src == NULL ) { - ber_errno = LBER_ERROR_PARAM; -@@ -490,7 +490,7 @@ ber_dupbv_x( - } - - if ( dst ) { -- new = dst; -+ new = &tmp; - } else { - if(( new = ber_memalloc_x( sizeof(struct berval), ctx )) == NULL ) { - return NULL; -@@ -500,18 +500,23 @@ ber_dupbv_x( - if ( src->bv_val == NULL ) { - new->bv_val = NULL; - new->bv_len = 0; -- return new; -- } -+ } else { - -- if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == NULL ) { -- if ( !dst ) -- ber_memfree_x( new, ctx ); -- return NULL; -+ if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == NULL ) { -+ if ( !dst ) -+ ber_memfree_x( new, ctx ); -+ return NULL; -+ } -+ -+ AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len ); -+ new->bv_val[src->bv_len] = '\0'; -+ new->bv_len = src->bv_len; - } - -- AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len ); -- new->bv_val[src->bv_len] = '\0'; -- new->bv_len = src->bv_len; -+ if ( dst ) { -+ *dst = *new; -+ new = dst; -+ } - - return new; - } --- -2.19.1 - diff --git a/ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch b/ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch deleted file mode 100644 index 0568235f27a663626caec310cad5354c80dc8bfd..0000000000000000000000000000000000000000 --- a/ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 1f33a6d9109792c0a2c88793092264080fe856b0 Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Fri, 22 Jun 2018 16:30:13 +0100 -Subject: [PATCH 038/109] ITS#8756 remove loose pg from dirty list in - freelist_save - ---- - libraries/liblmdb/mdb.c | 33 ++++++++++++++++++++++++++++++++- - 1 file changed, 32 insertions(+), 1 deletion(-) - -diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c -index 0662f2d8b..e12af4482 100644 ---- a/libraries/liblmdb/mdb.c -+++ b/libraries/liblmdb/mdb.c -@@ -3094,10 +3094,41 @@ mdb_freelist_save(MDB_txn *txn) - * we may be unable to return them to me_pghead. - */ - MDB_page *mp = txn->mt_loose_pgs; -+ MDB_ID2 *dl = txn->mt_u.dirty_list; -+ unsigned x; - if ((rc = mdb_midl_need(&txn->mt_free_pgs, txn->mt_loose_count)) != 0) - return rc; -- for (; mp; mp = NEXT_LOOSE_PAGE(mp)) -+ for (; mp; mp = NEXT_LOOSE_PAGE(mp)) { - mdb_midl_xappend(txn->mt_free_pgs, mp->mp_pgno); -+ /* must also remove from dirty list */ -+ if (txn->mt_flags & MDB_TXN_WRITEMAP) { -+ for (x=1; x<=dl[0].mid; x++) -+ if (dl[x].mid == mp->mp_pgno) -+ break; -+ mdb_tassert(txn, x <= dl[0].mid); -+ } else { -+ x = mdb_mid2l_search(dl, mp->mp_pgno); -+ mdb_tassert(txn, dl[x].mid == mp->mp_pgno); -+ } -+ dl[x].mptr = NULL; -+ mdb_dpage_free(env, mp); -+ } -+ { -+ /* squash freed slots out of the dirty list */ -+ unsigned y; -+ for (y=1; dl[y].mptr && y <= dl[0].mid; y++); -+ if (y <= dl[0].mid) { -+ for(x=y, y++;;) { -+ while (!dl[y].mptr && y <= dl[0].mid) y++; -+ if (y > dl[0].mid) break; -+ dl[x++] = dl[y++]; -+ } -+ dl[0].mid = x-1; -+ } else { -+ /* all slots freed */ -+ dl[0].mid = 0; -+ } -+ } - txn->mt_loose_pgs = NULL; - txn->mt_loose_count = 0; - } --- -2.19.1 - diff --git a/ITS-8840-Fix-domainScope-control-to-ensure-the-contr.patch b/ITS-8840-Fix-domainScope-control-to-ensure-the-contr.patch deleted file mode 100644 index e507234e7ae5b7fd9c386196051c36a8ab869832..0000000000000000000000000000000000000000 --- a/ITS-8840-Fix-domainScope-control-to-ensure-the-contr.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 59681e0eb305262aeb93675c66f21727bfc7ab98 Mon Sep 17 00:00:00 2001 -From: Quanah Gibson-Mount -Date: Mon, 30 Apr 2018 17:27:36 +0000 -Subject: [PATCH 009/109] ITS#8840 Fix domainScope control to ensure the - control value is absent as per Microsoft specification - (https://msdn.microsoft.com/en-us/library/aa366979%28v=vs.85%29.aspx). - ---- - servers/slapd/controls.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c -index b8edd39bc..16b580633 100644 ---- a/servers/slapd/controls.c -+++ b/servers/slapd/controls.c -@@ -1660,8 +1660,8 @@ static int parseDomainScope ( - return LDAP_PROTOCOL_ERROR; - } - -- if ( BER_BVISNULL( &ctrl->ldctl_value )) { -- rs->sr_text = "domainScope control value not empty"; -+ if ( !BER_BVISNULL( &ctrl->ldctl_value )) { -+ rs->sr_text = "domainScope control value not absent"; - return LDAP_PROTOCOL_ERROR; - } - --- -2.19.1 - diff --git a/ITS-8842-Do-some-printability-checks-on-the-dc-RDN.patch b/ITS-8842-Do-some-printability-checks-on-the-dc-RDN.patch deleted file mode 100644 index f6847797a0fab68b44bce51f5e55f28823d15564..0000000000000000000000000000000000000000 --- a/ITS-8842-Do-some-printability-checks-on-the-dc-RDN.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 849f937d0aaf5911d438c49ccde2b036b62362d5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= -Date: Thu, 21 Jun 2018 16:01:43 +0100 -Subject: [PATCH 025/109] ITS#8842 Do some printability checks on the dc RDN - ---- - libraries/libldap/getdn.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/libraries/libldap/getdn.c b/libraries/libldap/getdn.c -index 16ecd3055..69ff62ac8 100644 ---- a/libraries/libldap/getdn.c -+++ b/libraries/libldap/getdn.c -@@ -27,6 +27,7 @@ - - #include "ldap-int.h" - #include "ldap_schema.h" -+#include "ldif.h" - - /* extension to UFN that turns trailing "dc=value" rdns in DNS style, - * e.g. "ou=People,dc=openldap,dc=org" => "People, openldap.org" */ -@@ -2478,6 +2479,11 @@ dn2domain( LDAPDN dn, struct berval *bv, int pos, int *iRDN ) - break; - } - -+ if ( ldif_is_not_printable( ava->la_value.bv_val, ava->la_value.bv_len ) ) { -+ domain = 0; -+ break; -+ } -+ - domain = 1; - - if ( first ) { --- -2.19.1 - diff --git a/ITS-8843-check-for-NULL-modlist.patch b/ITS-8843-check-for-NULL-modlist.patch deleted file mode 100644 index 657d5255283a97bcbf51832b976c68aa63fc24a0..0000000000000000000000000000000000000000 --- a/ITS-8843-check-for-NULL-modlist.patch +++ /dev/null @@ -1,24 +0,0 @@ -From cc24cf620470e600d31fd68f63decae82b9745f3 Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Wed, 2 May 2018 16:51:49 +0100 -Subject: [PATCH 011/109] ITS#8843 check for NULL modlist - ---- - servers/slapd/overlays/syncprov.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c -index 684421fb9..9051ec9c9 100644 ---- a/servers/slapd/overlays/syncprov.c -+++ b/servers/slapd/overlays/syncprov.c -@@ -1924,6 +1924,7 @@ syncprov_op_response( Operation *op, SlapReply *rs ) - /* Don't do any processing for consumer contextCSN updates */ - if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) && - op->o_tag == LDAP_REQ_MODIFY && -+ op->orm_modlist && - op->orm_modlist->sml_op == LDAP_MOD_REPLACE && - op->orm_modlist->sml_desc == slap_schema.si_ad_contextCSN ) { - /* Catch contextCSN updates from syncrepl. We have to look at --- -2.19.1 - diff --git a/ITS-8864-Fix-ber_realloc-after-a-partial-ber_flush.patch b/ITS-8864-Fix-ber_realloc-after-a-partial-ber_flush.patch deleted file mode 100644 index 52f081b3c4b31ee07a1b0bdc05babd3923b4d4bc..0000000000000000000000000000000000000000 --- a/ITS-8864-Fix-ber_realloc-after-a-partial-ber_flush.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c -index e44a46c..8477794 100644 ---- a/libraries/liblber/io.c -+++ b/libraries/liblber/io.c -@@ -128,7 +128,7 @@ ber_write( - int - ber_realloc( BerElement *ber, ber_len_t len ) - { -- ber_len_t total, offset, sos_offset; -+ ber_len_t total, offset, sos_offset, rw_offset; - char *buf; - - assert( ber != NULL ); -@@ -165,6 +165,7 @@ ber_realloc( BerElement *ber, ber_len_t len ) - offset = ber->ber_ptr - buf; - sos_offset = ber->ber_sos_ptr ? ber->ber_sos_ptr - buf : 0; - /* if ber_sos_ptr != NULL, it is > ber_buf so that sos_offset > 0 */ -+ rw_offset = ber->ber_rwptr ? ber->ber_rwptr - buf : 0; - - buf = (char *) ber_memrealloc_x( buf, total, ber->ber_memctx ); - if ( buf == NULL ) { -@@ -176,6 +177,8 @@ ber_realloc( BerElement *ber, ber_len_t len ) - ber->ber_ptr = buf + offset; - if ( sos_offset ) - ber->ber_sos_ptr = buf + sos_offset; -+ if ( ber->ber_rwptr ) -+ ber->ber_rwptr = buf + rw_offset; - - return( 0 ); - } diff --git a/ITS-8878-Include-the-first-character-in-the-transfor.patch b/ITS-8878-Include-the-first-character-in-the-transfor.patch deleted file mode 100644 index 51239a8ede41147fb804eb6305d174770d7e251f..0000000000000000000000000000000000000000 --- a/ITS-8878-Include-the-first-character-in-the-transfor.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 110409ea828b6806c2003702b300652f2290d3d4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= -Date: Thu, 8 Nov 2018 11:09:38 +0000 -Subject: [PATCH 054/109] ITS#8878 Include the first character in the - transformation - ---- - contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c -index 262534b7d..5f4a0271f 100644 ---- a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c -+++ b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c -@@ -59,15 +59,14 @@ const struct berval pbkdf2_sha512_scheme = BER_BVC("{PBKDF2-SHA512}"); - static int b64_to_ab64(char *str) - { - char *p = str; -- while(*p++){ -+ do { - if(*p == '+'){ - *p = '.'; - } - if(*p == '='){ - *p = '\0'; -- break; - } -- } -+ } while(*p++); - return 0; - } - --- -2.19.1 - diff --git a/ITS-8909-additional-tweak.patch b/ITS-8909-additional-tweak.patch deleted file mode 100644 index 506a3684963f4ef6d6506b228b8de2cf8d7f381f..0000000000000000000000000000000000000000 --- a/ITS-8909-additional-tweak.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 324fdd0c41fca50bd0bfacead6b5b7583ac233dc Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Wed, 29 Aug 2018 02:02:13 +0100 -Subject: [PATCH 033/109] ITS#8909 additional tweak - -Set error code on failure ---- - servers/slapd/saslauthz.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c -index e4a74ea7f..d80370ff9 100644 ---- a/servers/slapd/saslauthz.c -+++ b/servers/slapd/saslauthz.c -@@ -2075,6 +2075,8 @@ int slap_sasl_authorized( Operation *op, - rc = slap_sasl_check_authz( op, authcDN, authzDN, - slap_schema.si_ad_saslAuthzTo, authcDN ); - if(( rc == LDAP_SUCCESS ) ^ (( authz_policy & SASL_AUTHZ_AND) != 0)) { -+ if( rc != LDAP_SUCCESS ) -+ rc = LDAP_INAPPROPRIATE_AUTH; - goto DONE; - } - } --- -2.19.1 - diff --git a/ITS-8909-fix-authz-policy-all-condition.patch b/ITS-8909-fix-authz-policy-all-condition.patch deleted file mode 100644 index 893ed79b1b76b6c788b1250669e202f98835453f..0000000000000000000000000000000000000000 --- a/ITS-8909-fix-authz-policy-all-condition.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 37df43786bbb1918e28f3fb0117e58dd9d96cd1c Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Wed, 29 Aug 2018 01:13:05 +0100 -Subject: [PATCH 031/109] ITS#8909 fix "authz-policy all" condition - -Broken since original commit 113727ba ---- - servers/slapd/saslauthz.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c -index e1ea0a1e9..e4a74ea7f 100644 ---- a/servers/slapd/saslauthz.c -+++ b/servers/slapd/saslauthz.c -@@ -2074,7 +2074,7 @@ int slap_sasl_authorized( Operation *op, - if( authz_policy & SASL_AUTHZ_TO ) { - rc = slap_sasl_check_authz( op, authcDN, authzDN, - slap_schema.si_ad_saslAuthzTo, authcDN ); -- if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) ) { -+ if(( rc == LDAP_SUCCESS ) ^ (( authz_policy & SASL_AUTHZ_AND) != 0)) { - goto DONE; - } - } --- -2.19.1 - diff --git a/ITS-8918-fix-typo.patch b/ITS-8918-fix-typo.patch deleted file mode 100644 index 1da5b4ea490e831e06cac2e0f2f66dcd16da5ca3..0000000000000000000000000000000000000000 --- a/ITS-8918-fix-typo.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 83ade79c715dd9516dd2ba0675094b86d630c7b8 Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Mon, 24 Sep 2018 13:47:09 +0100 -Subject: [PATCH 046/109] ITS#8918 fix typo - ---- - servers/slapd/sasl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c -index 73ac2a8a8..64e64d1d9 100644 ---- a/servers/slapd/sasl.c -+++ b/servers/slapd/sasl.c -@@ -323,7 +323,7 @@ slap_auxprop_lookup( - - /* we don't know anything about this, ignore it */ - if ( !conn ) { -- rc == LDAP_SUCCESS; -+ rc = LDAP_SUCCESS; - goto done; - } - --- -2.19.1 - diff --git a/ITS-8923-fix-dyngroup-NO_SUCH_OBJECT-error-handling.patch b/ITS-8923-fix-dyngroup-NO_SUCH_OBJECT-error-handling.patch deleted file mode 100644 index 99ccef116525745d2e757a504519ba23ddb4dc63..0000000000000000000000000000000000000000 --- a/ITS-8923-fix-dyngroup-NO_SUCH_OBJECT-error-handling.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 84e0958b28fccb5cc36de90094aebc6902145c07 Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Wed, 3 Oct 2018 21:58:32 +0100 -Subject: [PATCH 049/109] ITS#8923 fix dyngroup NO_SUCH_OBJECT error handling - ---- - servers/slapd/backend.c | 2 +- - tests/data/dynlist.out | 3 +++ - tests/scripts/test044-dynlist | 9 +++++---- - 3 files changed, 9 insertions(+), 5 deletions(-) - -diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c -index 445a2cb57..0a3dafab8 100644 ---- a/servers/slapd/backend.c -+++ b/servers/slapd/backend.c -@@ -1520,7 +1520,7 @@ fe_acl_group( - op->o_private = o_priv; - if ( rc2 != 0 ) { - /* give up... */ -- rc = LDAP_OTHER; -+ rc = (rc2 == LDAP_NO_SUCH_OBJECT) ? rc2 : LDAP_OTHER; - goto loopit; - } - } -diff --git a/tests/data/dynlist.out b/tests/data/dynlist.out -index 429039b67..8caf0e22f 100644 ---- a/tests/data/dynlist.out -+++ b/tests/data/dynlist.out -@@ -198,6 +198,9 @@ memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person) - # Testing list compare... - TRUE - -+# Testing list compare... (should return FALSE) -+FALSE -+ - # Testing list compare (should return FALSE)... - FALSE - -diff --git a/tests/scripts/test044-dynlist b/tests/scripts/test044-dynlist -index e5a0c47dc..8caf50ded 100755 ---- a/tests/scripts/test044-dynlist -+++ b/tests/scripts/test044-dynlist -@@ -477,12 +477,12 @@ $LDAPCOMPARE -h $LOCALHOST -p $PORT1 \ - RC=$? - case $RC in - 5) -- echo "ldapcompare returned FALSE ($RC)!" -- test $KILLSERVERS != no && kill -HUP $KILLPIDS -- exit $RC -+ echo "ldapcompare returned FALSE ($RC)" - ;; - 6) -- echo "ldapcompare returned TRUE ($RC)" -+ echo "ldapcompare returned TRUE ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC - ;; - 0) - echo "ldapcompare returned success ($RC)!" -@@ -497,6 +497,7 @@ case $RC in - esac - echo "" >> $SEARCHOUT - -+CMPDN="$BJORNSDN" - echo "Testing list compare (should return FALSE)..." - echo "# Testing list compare (should return FALSE)..." >> $SEARCHOUT - $LDAPCOMPARE -h $LOCALHOST -p $PORT1 \ --- -2.19.1 - diff --git a/ITS-8932-check-rdnNormalize-success.patch b/ITS-8932-check-rdnNormalize-success.patch deleted file mode 100644 index 2ef91e5158252b5310698541b452cc4f3a3ed219..0000000000000000000000000000000000000000 --- a/ITS-8932-check-rdnNormalize-success.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 84a844cfd294a93b4fa2516a82d4f0e35e2c3d3d Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Fri, 9 Nov 2018 21:16:10 +0000 -Subject: [PATCH 066/109] ITS#8932 check rdnNormalize success - ---- - servers/slapd/bconfig.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c -index 250f14100..4c7d53935 100644 ---- a/servers/slapd/bconfig.c -+++ b/servers/slapd/bconfig.c -@@ -4609,7 +4609,11 @@ config_renumber_one( Operation *op, SlapReply *rs, CfEntryInfo *parent, - /* Do the equivalent of ModRDN */ - /* Replace DN / NDN */ - newrdn.bv_len = ptr1 - newrdn.bv_val; -- rdnNormalize( 0, NULL, NULL, &newrdn, &nnewrdn, NULL ); -+ rc = rdnNormalize( 0, NULL, NULL, &newrdn, &nnewrdn, NULL ); -+ if ( rc ) { -+ free( newrdn.bv_val ); -+ return LDAP_NAMING_VIOLATION; -+ } - rc = config_rename_one( op, rs, e, parent, a, &newrdn, &nnewrdn, use_ldif ); - - free( nnewrdn.bv_val ); --- -2.19.1 - diff --git a/ITS-8948-Fix-BDB-lib-to-only-be-linked-with-static-b.patch b/ITS-8948-Fix-BDB-lib-to-only-be-linked-with-static-b.patch deleted file mode 100644 index 9dd7aee1cdaeed82958bd74149275eeb03ef4a34..0000000000000000000000000000000000000000 --- a/ITS-8948-Fix-BDB-lib-to-only-be-linked-with-static-b.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 42d441c810d7b6a6d72625d919e944a38363d6c8 Mon Sep 17 00:00:00 2001 -From: Quanah Gibson-Mount -Date: Mon, 31 Dec 2018 18:24:12 +0000 -Subject: [PATCH 078/109] ITS#8948 - Fix BDB lib to only be linked with static - backend - ---- - configure.in | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/configure.in b/configure.in -index 2a4d29f78..2bd2a4382 100644 ---- a/configure.in -+++ b/configure.in -@@ -1899,7 +1899,13 @@ if test $ol_enable_bdb/$ol_enable_hdb != no/no; then - BDB_LIBS="$BDB_LIBS $ol_cv_lib_db" - fi - -- SLAPD_LIBS="$SLAPD_LIBS \$(BDB_LIBS)" -+ dnl link BDB library to slapd when there is a -+ dnl static BDB based backend in use -+ if test $ol_enable_bdb/$ol_enable_hdb != mod/mod ; then -+ if test $ol_enable_bdb = yes -o $ol_enable_hdb = yes ; then -+ SLAPD_LIBS="$SLAPD_LIBS \$(BDB_LIBS)" -+ fi -+ fi - - ol_link_bdb=yes - fi --- -2.19.1 - diff --git a/ITS-8957-Fix-ASYNC-TLS.patch b/ITS-8957-Fix-ASYNC-TLS.patch deleted file mode 100644 index eebaed711afc1dcb01dd80a4c299ccc27b2dfd2b..0000000000000000000000000000000000000000 --- a/ITS-8957-Fix-ASYNC-TLS.patch +++ /dev/null @@ -1,26 +0,0 @@ -From a5a8739b4436b27387c652a8f423b582516d841a Mon Sep 17 00:00:00 2001 -From: Quanah Gibson-Mount -Date: Thu, 31 Jan 2019 02:33:17 +0000 -Subject: [PATCH 100/109] ITS#8957 - Fix ASYNC TLS - -Fix ASYNC TLS by correctly handling a return code of -2 in addition to 0 ---- - libraries/libldap/open.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c -index 67a9353f9..5d70678d6 100644 ---- a/libraries/libldap/open.c -+++ b/libraries/libldap/open.c -@@ -440,7 +440,7 @@ ldap_int_open_connection( - #endif - - #ifdef HAVE_TLS -- if (rc == 0 && ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD || -+ if ((rc == 0 || rc == -2) && ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD || - strcmp( srv->lud_scheme, "ldaps" ) == 0 )) - { - ++conn->lconn_refcnt; /* avoid premature free */ --- -2.19.1 - diff --git a/ITS-8980-fix-async-connections-with-non-blocking-TLS.patch b/ITS-8980-fix-async-connections-with-non-blocking-TLS.patch deleted file mode 100644 index f98fa17b2cf8436c444d34a4597f262702610f43..0000000000000000000000000000000000000000 --- a/ITS-8980-fix-async-connections-with-non-blocking-TLS.patch +++ /dev/null @@ -1,102 +0,0 @@ -From d4a0a9b3a65bd1ce721d55845d4240942d17538b Mon Sep 17 00:00:00 2001 -From: Vernon Smith -Date: Tue, 19 Feb 2019 05:57:00 +0000 -Subject: [PATCH 109/109] ITS#8980 fix async connections with non-blocking TLS - ---- - libraries/libldap/os-ip.c | 2 +- - libraries/libldap/tls2.c | 17 ++++++++++++----- - libraries/libldap/tls_o.c | 14 +++++++++++++- - 3 files changed, 26 insertions(+), 7 deletions(-) - -diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c -index a823cc626..cb7b0a3b2 100644 ---- a/libraries/libldap/os-ip.c -+++ b/libraries/libldap/os-ip.c -@@ -443,7 +443,7 @@ ldap_pvt_connect(LDAP *ld, ber_socket_t s, - if ( connect(s, sin, addrlen) != AC_SOCKET_ERROR ) { - osip_debug(ld, "connect success\n", 0, 0, 0); - -- if ( opt_tv && ldap_pvt_ndelay_off(ld, s) == -1 ) -+ if ( !async && opt_tv && ldap_pvt_ndelay_off(ld, s) == -1 ) - return ( -1 ); - return ( 0 ); - } -diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c -index 96da4d421..bc93e4d63 100644 ---- a/libraries/libldap/tls2.c -+++ b/libraries/libldap/tls2.c -@@ -826,7 +826,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) - Sockbuf *sb; - char *host; - void *ssl; -- int ret; -+ int ret, async; - #ifdef LDAP_USE_NON_BLOCKING_TLS - struct timeval start_time_tv, tv, tv0; - ber_socket_t sd = AC_SOCKET_ERROR; -@@ -853,8 +853,12 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) - /* - * Use non-blocking io during SSL Handshake when a timeout is configured - */ -+ async = LDAP_BOOL_GET( &ld->ld_options, LDAP_BOOL_CONNECT_ASYNC ); - if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { -- ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); -+ if ( !async ) { -+ /* if async, this has already been set */ -+ ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); -+ } - ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_FD, &sd ); - tv = ld->ld_options.ldo_tm_net; - tv0 = tv; -@@ -888,8 +892,10 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) - ld->ld_errno = LDAP_TIMEOUT; - break; - } else { -- /* ldap_int_poll called ldap_pvt_ndelay_off */ -- ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); -+ /* ldap_int_poll called ldap_pvt_ndelay_off if not async */ -+ if ( !async ) { -+ ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); -+ } - ret = ldap_int_tls_connect( ld, conn, host ); - if ( ret > 0 ) { /* need to call tls_connect once more */ - struct timeval curr_time_tv, delta_tv; -@@ -936,7 +942,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) - } - } - } -- if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { -+ /* Leave it nonblocking if async */ -+ if ( !async && ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { - ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, NULL ); - } - #endif /* LDAP_USE_NON_BLOCKING_TLS */ -diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c -index 2b0c021a6..b10121d3a 100644 ---- a/libraries/libldap/tls_o.c -+++ b/libraries/libldap/tls_o.c -@@ -452,7 +452,19 @@ tlso_session_connect( LDAP *ld, tls_session *sess ) - tlso_session *s = (tlso_session *)sess; - - /* Caller expects 0 = success, OpenSSL returns 1 = success */ -- return SSL_connect( s ) - 1; -+ int rc = SSL_connect( s ) - 1; -+#ifdef LDAP_USE_NON_BLOCKING_TLS -+ if ( rc < 0 ) { -+ int sockerr = sock_errno(); -+ int sslerr = SSL_get_error( s, rc+1 ); -+ if ( sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE ) { -+ rc = 0; -+ } else if ( sslerr == SSL_ERROR_SYSCALL && -+ ( sockerr == EAGAIN || sockerr == ENOTCONN )) { -+ rc = 0; -+ } -+ } -+#endif /* LDAP_USE_NON_BLOCKING_TLS */ - } - - static int --- -2.19.1 - diff --git a/README.en.md b/README.en.md deleted file mode 100644 index 0efb4ac2a150de7b41a5df7f552b167e2a0e25b3..0000000000000000000000000000000000000000 --- a/README.en.md +++ /dev/null @@ -1,36 +0,0 @@ -# openldap - -#### Description -{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**} - -#### Software Architecture -Software architecture description - -#### Installation - -1. xxxx -2. xxxx -3. xxxx - -#### Instructions - -1. xxxx -2. xxxx -3. xxxx - -#### Contribution - -1. Fork the repository -2. Create Feat_xxx branch -3. Commit your code -4. Create Pull Request - - -#### Gitee Feature - -1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md -2. Gitee blog [blog.gitee.com](https://blog.gitee.com) -3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) -4. The most valuable open source project [GVP](https://gitee.com/gvp) -5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) -6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/README.md b/README.md deleted file mode 100644 index 5ea4ed790fd53b714970d267a27b345b7a1a385d..0000000000000000000000000000000000000000 --- a/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# openldap - -#### 介绍 -{**以下是码云平台说明,您可以替换此简介** -码云是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN)。专为开发者提供稳定、高效、安全的云端软件开发协作平台 -无论是个人、团队、或是企业,都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)} - -#### 软件架构 -软件架构说明 - - -#### 安装教程 - -1. xxxx -2. xxxx -3. xxxx - -#### 使用说明 - -1. xxxx -2. xxxx -3. xxxx - -#### 参与贡献 - -1. Fork 本仓库 -2. 新建 Feat_xxx 分支 -3. 提交代码 -4. 新建 Pull Request - - -#### 码云特技 - -1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md -2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com) -3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目 -4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目 -5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) -6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/backport-ITS9160-OOM-Handing.patch b/backport-ITS9160-OOM-Handing.patch new file mode 100644 index 0000000000000000000000000000000000000000..1342db3b71aa9b1583a25d77f76d75853fae1986 --- /dev/null +++ b/backport-ITS9160-OOM-Handing.patch @@ -0,0 +1,821 @@ +From 47e0e3fdb59d8be9cc44e814ba03684d352916a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Thu, 30 Jan 2020 09:03:59 +0000 +Subject: [PATCH] ITS#9160 OOM handling +https://bugs.openldap.org/show_bug.cgi?id=9160 + + +diff --git a/contrib/slapd-modules/allowed/allowed.c b/contrib/slapd-modules/allowed/allowed.c +--- a/contrib/slapd-modules/allowed/allowed.c ++++ b/contrib/slapd-modules/allowed/allowed.c +@@ -277,10 +277,10 @@ aa_operational( Operation *op, SlapReply *rs ) + /* just count */ ; + + if ( got & GOT_A ) { +- bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) ); ++ bv_allowed = ch_calloc( i + 1, sizeof( struct berval ) ); + } + if ( got & GOT_AE ) { +- bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) ); ++ bv_effective = ch_calloc( i + 1, sizeof( struct berval ) ); + } + + for ( i = 0, ja = 0, je = 0; atp[ i ] != NULL; i++ ) { +@@ -310,7 +310,6 @@ aa_operational( Operation *op, SlapReply *rs ) + ch_free( atp ); + + if ( ( got & GOT_A ) && ja > 0 ) { +- BER_BVZERO( &bv_allowed[ ja ] ); + *ap = attr_alloc( ad_allowedAttributes ); + (*ap)->a_vals = bv_allowed; + (*ap)->a_nvals = bv_allowed; +@@ -319,7 +318,6 @@ aa_operational( Operation *op, SlapReply *rs ) + } + + if ( ( got & GOT_AE ) && je > 0 ) { +- BER_BVZERO( &bv_effective[ je ] ); + *ap = attr_alloc( ad_allowedAttributesEffective ); + (*ap)->a_vals = bv_effective; + (*ap)->a_nvals = bv_effective; +@@ -348,10 +346,10 @@ do_oc:; + } + + if ( got & GOT_C ) { +- bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) ); ++ bv_allowed = ch_calloc( i + 1, sizeof( struct berval ) ); + } + if ( got & GOT_CE ) { +- bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) ); ++ bv_effective = ch_calloc( i + 1, sizeof( struct berval ) ); + } + + for ( oc_start( &oc ); oc != NULL; oc_next( &oc ) ) { +@@ -398,7 +396,6 @@ done_ce:; + } + + if ( ( got & GOT_C ) && ja > 0 ) { +- BER_BVZERO( &bv_allowed[ ja ] ); + *ap = attr_alloc( ad_allowedChildClasses ); + (*ap)->a_vals = bv_allowed; + (*ap)->a_nvals = bv_allowed; +@@ -407,7 +404,6 @@ done_ce:; + } + + if ( ( got & GOT_CE ) && je > 0 ) { +- BER_BVZERO( &bv_effective[ je ] ); + *ap = attr_alloc( ad_allowedChildClassesEffective ); + (*ap)->a_vals = bv_effective; + (*ap)->a_nvals = bv_effective; + +diff --git a/contrib/slapd-modules/samba4/rdnval.c b/contrib/slapd-modules/samba4/rdnval.c +--- a/contrib/slapd-modules/samba4/rdnval.c ++++ b/contrib/slapd-modules/samba4/rdnval.c +@@ -223,8 +223,8 @@ rdnval_rdn2vals( + + /* NOTE: we assume rdn and nrdn contain the same AVAs! */ + +- *valsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 ); +- *nvalsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 ); ++ *valsp = ch_calloc( sizeof( struct berval ), nAVA + 1 ); ++ *nvalsp = ch_calloc( sizeof( struct berval ), nAVA + 1 ); + + /* Add new attribute values to the entry */ + for ( i = 0; rdn[ i ]; i++ ) { +@@ -354,7 +354,7 @@ rdnval_op_rename( Operation *op, SlapReply *rs ) + send_ldap_result( op, rs ); + } + +- ml = SLAP_CALLOC( sizeof( Modifications ), 1 ); ++ ml = ch_calloc( sizeof( Modifications ), 1 ); + ml->sml_values = vals; + ml->sml_nvalues = nvals; + +diff --git a/contrib/slapd-modules/samba4/vernum.c b/contrib/slapd-modules/samba4/vernum.c +--- a/contrib/slapd-modules/samba4/vernum.c ++++ b/contrib/slapd-modules/samba4/vernum.c +@@ -121,8 +121,8 @@ vernum_op_modify( Operation *op, SlapReply *rs ) + /* ITS#6561 */ + #ifdef SLAP_MOD_ADD_IF_NOT_PRESENT + /* the initial value is only added if the vernum attr is not present */ +- ml = SLAP_CALLOC( sizeof( Modifications ), 1 ); +- ml->sml_values = SLAP_CALLOC( sizeof( struct berval ) , 2 ); ++ ml = ch_calloc( sizeof( Modifications ), 1 ); ++ ml->sml_values = ch_calloc( sizeof( struct berval ) , 2 ); + value_add_one( &ml->sml_values, &val_init ); + ml->sml_nvalues = NULL; + ml->sml_numvals = 1; +@@ -136,8 +136,8 @@ vernum_op_modify( Operation *op, SlapReply *rs ) + #endif /* SLAP_MOD_ADD_IF_NOT_PRESENT */ + + /* this increments by 1 the vernum attr */ +- ml = SLAP_CALLOC( sizeof( Modifications ), 1 ); +- ml->sml_values = SLAP_CALLOC( sizeof( struct berval ) , 2 ); ++ ml = ch_calloc( sizeof( Modifications ), 1 ); ++ ml->sml_values = ch_calloc( sizeof( struct berval ) , 2 ); + value_add_one( &ml->sml_values, &val ); + ml->sml_nvalues = NULL; + ml->sml_numvals = 1; + +diff --git a/tests/progs/slapd-bind.c b/tests/progs/slapd-bind.c +index c9e3210b06..a832e809c1 100644 +--- a/tests/progs/slapd-bind.c ++++ b/tests/progs/slapd-bind.c +@@ -412,11 +412,19 @@ do_base( struct tester_conn_args *config, char *dn, char *base, char *filter, ch + case LDAP_RES_SEARCH_ENTRY: + rc = ldap_get_dn_ber( ld, msg, &ber, &bv ); + dns = realloc( dns, (ndns + 1)*sizeof(char *) ); ++ if ( !dns ) { ++ tester_error( "realloc failed" ); ++ exit( EXIT_FAILURE ); ++ } + dns[ndns] = ber_strdup( bv.bv_val ); + if ( pwattr != NULL ) { + struct berval **values = ldap_get_values_len( ld, msg, pwattr ); + + creds = realloc( creds, (ndns + 1)*sizeof(struct berval) ); ++ if ( !creds ) { ++ tester_error( "realloc failed" ); ++ exit( EXIT_FAILURE ); ++ } + if ( values == NULL ) { + novals:; + creds[ndns].bv_len = 0; +diff --git a/tests/progs/slapd-modrdn.c b/tests/progs/slapd-modrdn.c +index 5bd823d72a..d82d82c69e 100644 +--- a/tests/progs/slapd-modrdn.c ++++ b/tests/progs/slapd-modrdn.c +@@ -125,6 +125,10 @@ do_modrdn( struct tester_conn_args *config, + + DNs[0] = entry; + DNs[1] = strdup( entry ); ++ if ( DNs[1] == NULL ) { ++ tester_error( "strdup failed" ); ++ exit( EXIT_FAILURE ); ++ } + + /* reverse the RDN, make new DN */ + p1 = strchr( entry, '=' ) + 1; +@@ -132,6 +136,10 @@ do_modrdn( struct tester_conn_args *config, + + *p2 = '\0'; + rdns[1] = strdup( entry ); ++ if ( rdns[1] == NULL ) { ++ tester_error( "strdup failed" ); ++ exit( EXIT_FAILURE ); ++ } + *p2-- = ','; + + for (i = p1 - entry;p2 >= p1;) +@@ -139,6 +147,10 @@ do_modrdn( struct tester_conn_args *config, + + DNs[1][i] = '\0'; + rdns[0] = strdup( DNs[1] ); ++ if ( rdns[0] == NULL ) { ++ tester_error( "strdup failed" ); ++ exit( EXIT_FAILURE ); ++ } + DNs[1][i] = ','; + + i = 0; +diff --git a/tests/progs/slapd-mtread.c b/tests/progs/slapd-mtread.c +index 1b421af00b..c8024cb6e1 100644 +--- a/tests/progs/slapd-mtread.c ++++ b/tests/progs/slapd-mtread.c +@@ -531,6 +531,10 @@ do_random( LDAP *ld, + } + + values = malloc( ( nvalues + 1 ) * sizeof( char * ) ); ++ if (values == NULL) { ++ thread_error( idx, "(failed to malloc)"); ++ exit( EXIT_FAILURE ); ++ } + for ( i = 0, e = ldap_first_entry( ld, res ); e != NULL; i++, e = ldap_next_entry( ld, e ) ) + { + values[ i ] = ldap_get_dn( ld, e ); +diff --git a/tests/progs/slapd-read.c b/tests/progs/slapd-read.c +index 4023a22d27..f95228317b 100644 +--- a/tests/progs/slapd-read.c ++++ b/tests/progs/slapd-read.c +@@ -202,6 +202,10 @@ do_random( struct tester_conn_args *config, char *sbase, char *filter, + } + + values = malloc( ( nvalues + 1 ) * sizeof( char * ) ); ++ if ( !values ) { ++ tester_error( "malloc failed" ); ++ exit( EXIT_FAILURE ); ++ } + for ( i = 0, e = ldap_first_entry( ld, res ); e != NULL; i++, e = ldap_next_entry( ld, e ) ) + { + values[ i ] = ldap_get_dn( ld, e ); +@@ -251,6 +255,10 @@ do_read( struct tester_conn_args *config, char *entry, LDAP **ldp, + /* make room for msgid */ + if ( swamp > 1 ) { + msgids = (int *)calloc( sizeof(int), maxloop ); ++ if ( !msgids ) { ++ tester_error( "calloc failed" ); ++ exit( EXIT_FAILURE ); ++ } + } + + retry:; +diff --git a/tests/progs/slapd-search.c b/tests/progs/slapd-search.c +index 8f791d6b3c..321fd80e38 100644 +--- a/tests/progs/slapd-search.c ++++ b/tests/progs/slapd-search.c +@@ -226,6 +226,10 @@ do_random( struct tester_conn_args *config, + int j; + + values = realloc( values, ( nvalues + n + 1 )*sizeof( char * ) ); ++ if ( !values ) { ++ tester_error( "realloc failed" ); ++ exit( EXIT_FAILURE ); ++ } + for ( j = 0; j < n; j++ ) { + values[ nvalues + j ] = strdup( v[ j ]->bv_val ); + } +@@ -298,6 +302,10 @@ do_search( struct tester_conn_args *config, + /* make room for msgid */ + if ( swamp > 1 ) { + msgids = (int *)calloc( sizeof(int), innerloop ); ++ if ( !msgids ) { ++ tester_error( "calloc failed" ); ++ exit( EXIT_FAILURE ); ++ } + } + + retry:; + +diff --git a/servers/slapd/aci.c b/servers/slapd/aci.c +index 86ace3f536..232c32fc89 100644 +--- a/servers/slapd/aci.c ++++ b/servers/slapd/aci.c +@@ -1258,7 +1258,7 @@ OpenLDAPaciNormalizeRight( + + len = nattrs.bv_len + ( !BER_BVISEMPTY( &nattrs ) ? STRLENOF( "," ) : 0 ) + + ad->ad_cname.bv_len; +- nattrs.bv_val = ber_memrealloc_x( nattrs.bv_val, len + 1, ctx ); ++ nattrs.bv_val = slap_sl_realloc( nattrs.bv_val, len + 1, ctx ); + ptr = &nattrs.bv_val[ nattrs.bv_len ]; + if ( !BER_BVISEMPTY( &nattrs ) ) { + *ptr++ = ','; +@@ -1270,7 +1270,7 @@ OpenLDAPaciNormalizeRight( + + } + +- naction->bv_val = ber_memrealloc_x( naction->bv_val, ++ naction->bv_val = slap_sl_realloc( naction->bv_val, + naction->bv_len + STRLENOF( ";" ) + + perms.bv_len + STRLENOF( ";" ) + + nattrs.bv_len + 1, +@@ -1345,7 +1345,7 @@ OpenLDAPaciNormalizeRights( + *nactions = nbv; + + } else { +- nactions->bv_val = ber_memrealloc_x( nactions->bv_val, ++ nactions->bv_val = slap_sl_realloc( nactions->bv_val, + nactions->bv_len + STRLENOF( "$" ) + + nbv.bv_len + 1, + ctx ); +@@ -1703,7 +1703,7 @@ OpenLDAPaciPrettyNormal( + } + + bv.bv_len += STRLENOF( "/" ) + oc->soc_cname.bv_len; +- bv.bv_val = ber_memalloc_x( bv.bv_len + 1, ctx ); ++ bv.bv_val = slap_sl_malloc( bv.bv_len + 1, ctx ); + + ptr = bv.bv_val; + ptr = lutil_strncopy( ptr, ntype.bv_val, ntype.bv_len ); +@@ -1762,7 +1762,7 @@ OpenLDAPaciPrettyNormal( + + ntype.bv_len + STRLENOF( "#" ) + + nsubject.bv_len; + +- out->bv_val = ber_memalloc_x( out->bv_len + 1, ctx ); ++ out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx ); + ptr = lutil_strncopy( out->bv_val, oid.bv_val, oid.bv_len ); + ptr[ 0 ] = '#'; + ptr++; +diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c +index 79a3fd1cfc..ceee648683 100644 +--- a/servers/slapd/bconfig.c ++++ b/servers/slapd/bconfig.c +@@ -3032,7 +3032,7 @@ tcp_buffer_unparse( int size, int rw, Listener *l, struct berval *val ) + } + } + +- val->bv_val = SLAP_MALLOC( val->bv_len + 1 ); ++ val->bv_val = ch_malloc( val->bv_len + 1 ); + + ptr = val->bv_val; + +@@ -3110,7 +3110,7 @@ tcp_buffer_add_one( int argc, char **argv ) + if ( rw & SLAP_TCP_WMEM ) slapd_tcp_wmem = size; + } + +- tcp_buffer = SLAP_REALLOC( tcp_buffer, sizeof( struct berval ) * ( tcp_buffer_num + 2 ) ); ++ tcp_buffer = ch_realloc( tcp_buffer, sizeof( struct berval ) * ( tcp_buffer_num + 2 ) ); + /* append */ + tcp_buffer[ tcp_buffer_num ] = val; + +diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c +index fb1cc3f1c3..cfdd7b0aa9 100644 +--- a/servers/slapd/modify.c ++++ b/servers/slapd/modify.c +@@ -619,7 +619,7 @@ int slap_mods_check( + if( nvals && ad->ad_type->sat_equality && + ad->ad_type->sat_equality->smr_normalize ) + { +- ml->sml_nvalues = ber_memalloc_x( ++ ml->sml_nvalues = slap_sl_malloc( + (nvals+1)*sizeof(struct berval), ctx ); + + for ( nvals = 0; !BER_BVISNULL( &ml->sml_values[nvals] ); nvals++ ) { +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 92407391e9..c067ef825c 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -3415,7 +3415,7 @@ serialNumberAndIssuerCheck( + ber_len_t src, dst; + + ni.bv_len = is->bv_len - numdquotes; +- ni.bv_val = ber_memalloc_x( ni.bv_len + 1, ctx ); ++ ni.bv_val = slap_sl_malloc( ni.bv_len + 1, ctx ); + for ( src = 0, dst = 0; src < is->bv_len; src++, dst++ ) { + if ( is->bv_val[src] == '"' ) { + src++; +@@ -4004,7 +4004,7 @@ issuerAndThisUpdateCheck( + ber_len_t src, dst; + + ni.bv_len = is->bv_len - numdquotes; +- ni.bv_val = ber_memalloc_x( ni.bv_len + 1, ctx ); ++ ni.bv_val = slap_sl_malloc( ni.bv_len + 1, ctx ); + for ( src = 0, dst = 0; src < is->bv_len; src++, dst++ ) { + if ( is->bv_val[src] == '"' ) { + src++; +@@ -4606,7 +4606,7 @@ serialNumberAndIssuerSerialCheck( + ber_len_t src, dst; + + ni.bv_len = is->bv_len - numdquotes; +- ni.bv_val = ber_memalloc_x( ni.bv_len + 1, ctx ); ++ ni.bv_val = slap_sl_malloc( ni.bv_len + 1, ctx ); + for ( src = 0, dst = 0; src < is->bv_len; src++, dst++ ) { + if ( is->bv_val[src] == '"' ) { + src++; + +diff --git a/servers/slapd/value.c b/servers/slapd/value.c +index 73c2052f16..c901236d5e 100644 +--- a/servers/slapd/value.c ++++ b/servers/slapd/value.c +@@ -514,7 +514,7 @@ ordered_value_pretty( + bv = *out; + + out->bv_len = idx.bv_len + bv.bv_len; +- out->bv_val = ber_memalloc_x( out->bv_len + 1, ctx ); ++ out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx ); + + AC_MEMCPY( out->bv_val, idx.bv_val, idx.bv_len ); + AC_MEMCPY( &out->bv_val[ idx.bv_len ], bv.bv_val, bv.bv_len + 1 ); +@@ -591,7 +591,7 @@ ordered_value_normalize( + bv = *normalized; + + normalized->bv_len = idx.bv_len + bv.bv_len; +- normalized->bv_val = ber_memalloc_x( normalized->bv_len + 1, ctx ); ++ normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx ); + + AC_MEMCPY( normalized->bv_val, idx.bv_val, idx.bv_len ); + AC_MEMCPY( &normalized->bv_val[ idx.bv_len ], bv.bv_val, bv.bv_len + 1 ); + +diff --git a/libraries/libldap/deref.c b/libraries/libldap/deref.c +index 6da6f2711c..9b66f19d95 100644 +--- a/libraries/libldap/deref.c ++++ b/libraries/libldap/deref.c +@@ -191,6 +191,12 @@ ldap_parse_derefresponse_control( + char *last2; + + dr = LDAP_CALLOC( 1, sizeof(LDAPDerefRes) ); ++ if ( dr == NULL ) { ++ ldap_derefresponse_free( drhead ); ++ *drp2 = NULL; ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } + dvp = &dr->attrVals; + + tag = ber_scanf( ber, "{ao", &dr->derefAttr, &dr->derefVal ); +@@ -207,6 +213,13 @@ ldap_parse_derefresponse_control( + LDAPDerefVal *dv; + + dv = LDAP_CALLOC( 1, sizeof(LDAPDerefVal) ); ++ if ( dv == NULL ) { ++ ldap_derefresponse_free( drhead ); ++ LDAP_FREE( dr ); ++ *drp2 = NULL; ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } + + tag = ber_scanf( ber, "{a[W]}", &dv->type, &dv->vals ); + if ( tag == LBER_ERROR ) { +diff --git a/libraries/libldap/getdn.c b/libraries/libldap/getdn.c +index 45910aba52..1228d9c76e 100644 +--- a/libraries/libldap/getdn.c ++++ b/libraries/libldap/getdn.c +@@ -258,6 +258,9 @@ ldap_explode_rdn( LDAP_CONST char *rdn, int notypes ) + l = vl + ava->la_attr.bv_len + 1; + + str = LDAP_MALLOC( l + 1 ); ++ if ( str == NULL ) { ++ goto error_return; ++ } + AC_MEMCPY( str, ava->la_attr.bv_val, + ava->la_attr.bv_len ); + str[ al++ ] = '='; +@@ -265,6 +268,9 @@ ldap_explode_rdn( LDAP_CONST char *rdn, int notypes ) + } else { + l = vl; + str = LDAP_MALLOC( l + 1 ); ++ if ( str == NULL ) { ++ goto error_return; ++ } + } + + if ( ava->la_flags & LDAP_AVA_BINARY ) { +@@ -1526,6 +1532,10 @@ str2strval( const char *str, ber_len_t stoplen, struct berval *val, const char * + if ( escapes == 0 ) { + if ( *retFlags & LDAP_AVA_NONPRINTABLE ) { + val->bv_val = LDAP_MALLOCX( len + 1, ctx ); ++ if ( val->bv_val == NULL ) { ++ return( 1 ); ++ } ++ + AC_MEMCPY( val->bv_val, startPos, len ); + val->bv_val[ len ] = '\0'; + } else { +@@ -1536,6 +1546,10 @@ str2strval( const char *str, ber_len_t stoplen, struct berval *val, const char * + ber_len_t s, d; + + val->bv_val = LDAP_MALLOCX( len + 1, ctx ); ++ if ( val->bv_val == NULL ) { ++ return( 1 ); ++ } ++ + for ( s = 0, d = 0; d < len; ) { + if ( LDAP_DN_ESCAPE( startPos[ s ] ) ) { + s++; +@@ -1633,6 +1647,10 @@ DCE2strval( const char *str, struct berval *val, const char **next, unsigned fla + ber_len_t s, d; + + val->bv_val = LDAP_MALLOCX( len + 1, ctx ); ++ if ( val->bv_val == NULL ) { ++ return( 1 ); ++ } ++ + for ( s = 0, d = 0; d < len; ) { + /* + * This point is reached only if escapes +@@ -1714,6 +1732,10 @@ IA52strval( const char *str, struct berval *val, const char **next, unsigned fla + ber_len_t s, d; + + val->bv_val = LDAP_MALLOCX( len + 1, ctx ); ++ if ( val->bv_val == NULL ) { ++ return( 1 ); ++ } ++ + for ( s = 0, d = 0; d < len; ) { + if ( LDAP_DN_ESCAPE( startPos[ s ] ) ) { + s++; +@@ -1804,6 +1826,10 @@ quotedIA52strval( const char *str, struct berval *val, const char **next, unsign + ber_len_t s, d; + + val->bv_val = LDAP_MALLOCX( len + 1, ctx ); ++ if ( val->bv_val == NULL ) { ++ return( 1 ); ++ } ++ + val->bv_len = len; + + for ( s = d = 0; d < len; ) { +@@ -2897,6 +2923,9 @@ ldap_rdn2bv_x( LDAPRDN rdn, struct berval *bv, unsigned flags, void *ctx ) + } + + bv->bv_val = LDAP_MALLOCX( l + 1, ctx ); ++ if ( bv->bv_val == NULL ) { ++ return LDAP_NO_MEMORY; ++ } + + switch ( LDAP_DN_FORMAT( flags ) ) { + case LDAP_DN_FORMAT_LDAPV3: +diff --git a/libraries/libldap/ldif.c b/libraries/libldap/ldif.c +index 5414e59334..1c29619cf3 100644 +--- a/libraries/libldap/ldif.c ++++ b/libraries/libldap/ldif.c +@@ -357,6 +357,9 @@ ldif_must_b64_encode_register( LDAP_CONST char *name, LDAP_CONST char *oid ) + + if ( must_b64_encode == default_must_b64_encode ) { + must_b64_encode = ber_memalloc( sizeof( must_b64_encode_s ) * ( i + 2 ) ); ++ if ( must_b64_encode == NULL ) { ++ return 1; ++ } + + for ( i = 0; !BER_BVISNULL( &default_must_b64_encode[i].name ); i++ ) { + ber_dupbv( &must_b64_encode[i].name, &default_must_b64_encode[i].name ); +@@ -728,6 +731,9 @@ ldif_open( + + if ( fp ) { + lfp = ber_memalloc( sizeof( LDIFFP )); ++ if ( lfp == NULL ) { ++ return NULL; ++ } + lfp->fp = fp; + lfp->prev = NULL; + } + +diff --git a/libraries/libldap/options.c b/libraries/libldap/options.c +index d8dbfea880..bc421dc6ba 100644 +--- a/libraries/libldap/options.c ++++ b/libraries/libldap/options.c +@@ -151,10 +151,21 @@ ldap_get_option( + int i; + info->ldapai_extensions = LDAP_MALLOC(sizeof(char *) * + sizeof(features)/sizeof(LDAPAPIFeatureInfo)); ++ if ( info->ldapai_extensions == NULL ) { ++ rc = LDAP_NO_MEMORY; ++ break; ++ } + + for(i=0; features[i].ldapaif_name != NULL; i++) { + info->ldapai_extensions[i] = + LDAP_STRDUP(features[i].ldapaif_name); ++ if ( info->ldapai_extensions[i] == NULL ) { ++ rc = LDAP_NO_MEMORY; ++ break; ++ } ++ } ++ if ( features[i].ldapaif_name != NULL ) { ++ break; /* LDAP_NO_MEMORY */ + } + + info->ldapai_extensions[i] = NULL; +@@ -895,6 +906,11 @@ ldap_set_option( + /* setting pushes the callback */ + ldaplist *ll; + ll = LDAP_MALLOC( sizeof( *ll )); ++ if ( ll == NULL ) { ++ rc = LDAP_NO_MEMORY; ++ break; ++ } ++ + ll->ll_data = (void *)invalue; + ll->ll_next = lo->ldo_conn_cbs; + lo->ldo_conn_cbs = ll; +diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c +index b4e478aacb..04ee48ea18 100644 +--- a/libraries/libldap/result.c ++++ b/libraries/libldap/result.c +@@ -1027,6 +1027,11 @@ try_read1msg( + * to parse. + */ + ber = ldap_alloc_ber_with_options( ld ); ++ if ( ber == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return -1; ++ } ++ + if ( ber_sockbuf_ctrl( lc->lconn_sb, LBER_SB_OPT_DATA_READY, NULL ) ) ok = 1; + } + /* set up response chain */ +diff --git a/libraries/libldap/schema.c b/libraries/libldap/schema.c +index 5cb30e7bfb..ef99a17c97 100644 +--- a/libraries/libldap/schema.c ++++ b/libraries/libldap/schema.c +@@ -2126,6 +2126,11 @@ ldap_str2attributetype( LDAP_CONST char * s, + /* Non-numerical OID ... */ + int len = ss-savepos; + at->at_oid = LDAP_MALLOC(len+1); ++ if ( !at->at_oid ) { ++ ldap_attributetype_free(at); ++ return NULL; ++ } ++ + strncpy(at->at_oid, savepos, len); + at->at_oid[len] = 0; + } +@@ -2499,6 +2504,11 @@ ldap_str2objectclass( LDAP_CONST char * s, + /* Non-numerical OID, ignore */ + int len = ss-savepos; + oc->oc_oid = LDAP_MALLOC(len+1); ++ if ( !oc->oc_oid ) { ++ ldap_objectclass_free(oc); ++ return NULL; ++ } ++ + strncpy(oc->oc_oid, savepos, len); + oc->oc_oid[len] = 0; + } +@@ -2780,6 +2790,11 @@ ldap_str2contentrule( LDAP_CONST char * s, + /* Non-numerical OID, ignore */ + int len = ss-savepos; + cr->cr_oid = LDAP_MALLOC(len+1); ++ if ( !cr->cr_oid ) { ++ ldap_contentrule_free(cr); ++ return NULL; ++ } ++ + strncpy(cr->cr_oid, savepos, len); + cr->cr_oid[len] = 0; + } + +diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c +index fc0ec2cde5..5cb4d1c1dd 100644 +--- a/servers/slapd/back-meta/config.c ++++ b/servers/slapd/back-meta/config.c +@@ -1481,7 +1481,7 @@ meta_back_cf_gen( ConfigArgs *c ) + char *ptr; + int len = snprintf( buf, sizeof( buf ), SLAP_X_ORDERED_FMT, i ); + bv.bv_len = ((*bvp)[ i ]).bv_len + len; +- bv.bv_val = ber_memrealloc( bv.bv_val, bv.bv_len + 1 ); ++ bv.bv_val = ch_realloc( bv.bv_val, bv.bv_len + 1 ); + ptr = bv.bv_val; + ptr = lutil_strcopy( ptr, buf ); + ptr = lutil_strncopy( ptr, ((*bvp)[ i ]).bv_val, ((*bvp)[ i ]).bv_len ); +@@ -2635,7 +2635,7 @@ idassert-authzFrom "dn:" + assert( !BER_BVISNULL( &mt->mt_idassert_authcDN ) ); + + bv.bv_len = STRLENOF( "dn:" ) + c->be->be_rootndn.bv_len; +- bv.bv_val = ber_memalloc( bv.bv_len + 1 ); ++ bv.bv_val = ch_malloc( bv.bv_len + 1 ); + AC_MEMCPY( bv.bv_val, "dn:", STRLENOF( "dn:" ) ); + AC_MEMCPY( &bv.bv_val[ STRLENOF( "dn:" ) ], c->be->be_rootndn.bv_val, c->be->be_rootndn.bv_len + 1 ); + +diff --git a/servers/slapd/back-meta/map.c b/servers/slapd/back-meta/map.c +index 144dc693de..ee7aa2f086 100644 +--- a/servers/slapd/back-meta/map.c ++++ b/servers/slapd/back-meta/map.c +@@ -381,6 +381,10 @@ ldap_back_int_filter_map_rewrite( + fstr->bv_len = atmp.bv_len + vtmp.bv_len + + ( sizeof("(=)") - 1 ); + fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx ); ++ if ( !fstr->bv_val ) { ++ ber_memfree_x( vtmp.bv_val, memctx ); ++ return LDAP_NO_MEMORY; ++ } + + snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)", + atmp.bv_val, vtmp.bv_len ? vtmp.bv_val : "" ); +@@ -398,6 +402,10 @@ ldap_back_int_filter_map_rewrite( + fstr->bv_len = atmp.bv_len + vtmp.bv_len + + ( sizeof("(>=)") - 1 ); + fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx ); ++ if ( !fstr->bv_val ) { ++ ber_memfree_x( vtmp.bv_val, memctx ); ++ return LDAP_NO_MEMORY; ++ } + + snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)", + atmp.bv_val, vtmp.bv_len ? vtmp.bv_val : "" ); +@@ -415,6 +423,10 @@ ldap_back_int_filter_map_rewrite( + fstr->bv_len = atmp.bv_len + vtmp.bv_len + + ( sizeof("(<=)") - 1 ); + fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx ); ++ if ( !fstr->bv_val ) { ++ ber_memfree_x( vtmp.bv_val, memctx ); ++ return LDAP_NO_MEMORY; ++ } + + snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)", + atmp.bv_val, vtmp.bv_len ? vtmp.bv_val : "" ); +@@ -432,6 +444,10 @@ ldap_back_int_filter_map_rewrite( + fstr->bv_len = atmp.bv_len + vtmp.bv_len + + ( sizeof("(~=)") - 1 ); + fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx ); ++ if ( !fstr->bv_val ) { ++ ber_memfree_x( vtmp.bv_val, memctx ); ++ return LDAP_NO_MEMORY; ++ } + + snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)", + atmp.bv_val, vtmp.bv_len ? vtmp.bv_val : "" ); +@@ -450,17 +466,27 @@ ldap_back_int_filter_map_rewrite( + + fstr->bv_len = atmp.bv_len + ( STRLENOF( "(=*)" ) ); + fstr->bv_val = ber_memalloc_x( fstr->bv_len + 128, memctx ); /* FIXME: why 128 ? */ ++ if ( !fstr->bv_val ) { ++ return LDAP_NO_MEMORY; ++ } + + snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)", + atmp.bv_val ); + + if ( !BER_BVISNULL( &f->f_sub_initial ) ) { ++ char *tmp; ++ + len = fstr->bv_len; + + filter_escape_value_x( &f->f_sub_initial, &vtmp, memctx ); + + fstr->bv_len += vtmp.bv_len; +- fstr->bv_val = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx ); ++ tmp = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx ); ++ if ( !tmp ) { ++ ber_memfree_x( vtmp.bv_val, memctx ); ++ return LDAP_NO_MEMORY; ++ } ++ fstr->bv_val = tmp; + + snprintf( &fstr->bv_val[len - 2], vtmp.bv_len + 3, + /* "(attr=" */ "%s*)", +@@ -471,11 +497,18 @@ ldap_back_int_filter_map_rewrite( + + if ( f->f_sub_any != NULL ) { + for ( i = 0; !BER_BVISNULL( &f->f_sub_any[i] ); i++ ) { ++ char *tmp; ++ + len = fstr->bv_len; + filter_escape_value_x( &f->f_sub_any[i], &vtmp, memctx ); + + fstr->bv_len += vtmp.bv_len + 1; +- fstr->bv_val = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx ); ++ tmp = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx ); ++ if ( !tmp ) { ++ ber_memfree_x( vtmp.bv_val, memctx ); ++ return LDAP_NO_MEMORY; ++ } ++ fstr->bv_val = tmp; + + snprintf( &fstr->bv_val[len - 1], vtmp.bv_len + 3, + /* "(attr=[init]*[any*]" */ "%s*)", +@@ -485,12 +518,19 @@ ldap_back_int_filter_map_rewrite( + } + + if ( !BER_BVISNULL( &f->f_sub_final ) ) { ++ char *tmp; ++ + len = fstr->bv_len; + + filter_escape_value_x( &f->f_sub_final, &vtmp, memctx ); + + fstr->bv_len += vtmp.bv_len; +- fstr->bv_val = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx ); ++ tmp = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx ); ++ if ( !tmp ) { ++ ber_memfree_x( vtmp.bv_val, memctx ); ++ return LDAP_NO_MEMORY; ++ } ++ fstr->bv_val = tmp; + + snprintf( &fstr->bv_val[len - 1], vtmp.bv_len + 3, + /* "(attr=[init*][any*]" */ "%s)", +@@ -510,6 +550,9 @@ ldap_back_int_filter_map_rewrite( + + fstr->bv_len = atmp.bv_len + ( STRLENOF( "(=*)" ) ); + fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx ); ++ if ( !fstr->bv_val ) { ++ return LDAP_NO_MEMORY; ++ } + + snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)", + atmp.bv_val ); +@@ -537,6 +580,10 @@ ldap_back_int_filter_map_rewrite( + + fstr->bv_len += vtmp.bv_len; + fstr->bv_val = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx ); ++ if ( !fstr->bv_val ) { ++ ber_memfree_x( vtmp.bv_val, memctx ); ++ return LDAP_NO_MEMORY; ++ } + + snprintf( &fstr->bv_val[len-1], vtmp.bv_len + 2, + /*"("*/ "%s)", vtmp.bv_len ? vtmp.bv_val : "" ); +@@ -565,6 +612,10 @@ ldap_back_int_filter_map_rewrite( + ( !BER_BVISEMPTY( &f->f_mr_rule_text ) ? f->f_mr_rule_text.bv_len + 1 : 0 ) + + vtmp.bv_len + ( STRLENOF( "(:=)" ) ); + fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx ); ++ if ( !fstr->bv_val ) { ++ ber_memfree_x( vtmp.bv_val, memctx ); ++ return LDAP_NO_MEMORY; ++ } + + snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)", + atmp.bv_val, +diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c +index 438b324350..af4ae14397 100644 +--- a/servers/slapd/back-meta/search.c ++++ b/servers/slapd/back-meta/search.c +@@ -1301,7 +1301,7 @@ really_bad:; + for ( cnt = 0; references[ cnt ]; cnt++ ) + ; + +- rs->sr_ref = ber_memalloc_x( sizeof( struct berval ) * ( cnt + 1 ), ++ rs->sr_ref = op->o_tmpalloc( sizeof( struct berval ) * ( cnt + 1 ), + op->o_tmpmemctx ); + + for ( cnt = 0; references[ cnt ]; cnt++ ) { +@@ -1456,7 +1456,7 @@ really_bad:; + for ( cnt = 0; references[ cnt ]; cnt++ ) + ; + +- sr_ref = ber_memalloc_x( sizeof( struct berval ) * ( cnt + 1 ), ++ sr_ref = op->o_tmpalloc( sizeof( struct berval ) * ( cnt + 1 ), + op->o_tmpmemctx ); + + for ( cnt = 0; references[ cnt ]; cnt++ ) { + diff --git a/backport-fix-implicit-function-declaration.patch b/backport-fix-implicit-function-declaration.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c1da09d72eb759c87c0883220852b761893db96 --- /dev/null +++ b/backport-fix-implicit-function-declaration.patch @@ -0,0 +1,30 @@ +From 57b7003a6473206e2526dcc91c7ddb357c7e66de Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich +Date: Mon, 19 Jun 2017 21:48:05 +0100 +Subject: [PATCH] thr_posix.c: fix implicit function declaration for + 'pthread_setconcurrency' + +thr_posix.c: In function 'ldap_pvt_thread_set_concurrency': +thr_posix.c:96:9: error: implicit declaration of function 'pthread_setconcurrency' + return pthread_setconcurrency( n ); + ^~~~~~~~~~~~~~~~~~~~~~ + pthread_setcanceltype + +Signed-off-by: Sergei Trofimovich +--- + libraries/libldap_r/thr_posix.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libraries/libldap_r/thr_posix.c b/libraries/libldap_r/thr_posix.c +index 35bde07327..e0368cc1eb 100644 +--- a/libraries/libldap_r/thr_posix.c ++++ b/libraries/libldap_r/thr_posix.c +@@ -14,6 +14,8 @@ + * . + */ + ++#define _XOPEN_SOURCE 500 /* For pthread_setconcurrency() on glibc */ ++ + #include "portable.h" + + #if defined( HAVE_PTHREADS ) diff --git a/openldap-2.4.46.tgz b/openldap-2.4.49.tgz similarity index 43% rename from openldap-2.4.46.tgz rename to openldap-2.4.49.tgz index 04c6e7983ccead86af65b4ffcfd6e284433e4425..634b85165969f972ecd1e48137d675dac7ed4a05 100644 Binary files a/openldap-2.4.46.tgz and b/openldap-2.4.49.tgz differ diff --git a/openldap.spec b/openldap.spec index f72ae0dc1d05f8ff509ffbd211580b92111d8d7c..599e209e61562674eb93d6f3077bbc9f080b4b3f 100644 --- a/openldap.spec +++ b/openldap.spec @@ -1,8 +1,8 @@ %global systemctl_bin /usr/bin/systemctl Name: openldap -Version: 2.4.46 -Release: 16 +Version: 2.4.49 +Release: 2 Summary: LDAP support libraries License: OpenLDAP URL: https://www.openldap.org/ @@ -24,10 +24,8 @@ Patch17: openldap-allop-overlay.patch # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585 Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch -Patch20: openldap-ldapi-sasl.patch -Patch21: openldap-openssl-allow-ssl3.patch Patch90: check-password-makefile.patch -Patch91: check-password.patch +Patch91: check-password.patch Patch6000: bugfix-openldap-autoconf-pkgconfig-nss.patch Patch6001: bugfix-openldap-nss-ciphers-use-nss-defaults.patch Patch6002: bugfix-openldap-nss-ignore-certdb-type-prefix.patch @@ -41,37 +39,11 @@ Patch6009: bugfix-openldap-support-tlsv1-and-later.patch Patch6010: bugfix-openldap-temporary-ssl-thr-init-race.patch Patch6011: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch Patch6012: Fixup-for-binary-config-attrs.patch -Patch6013: ITS-8864-Fix-ber_realloc-after-a-partial-ber_flush.patch - -Patch6014: ITS-8840-Fix-domainScope-control-to-ensure-the-contr.patch -Patch6015: ITS-8843-check-for-NULL-modlist.patch -Patch6016: Fix-quoting-example.patch -Patch6017: ITS-8667-Do-not-finish-glue-initialisation-in-tool-m.patch -Patch6018: ITS-8842-Do-some-printability-checks-on-the-dc-RDN.patch -Patch6019: ITS-8909-fix-authz-policy-all-condition.patch -Patch6020: ITS-8909-additional-tweak.patch -Patch6021: Fix-index-delete.patch -Patch6022: ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch -Patch6023: ITS-8918-fix-typo.patch -Patch6024: ITS-8923-fix-dyngroup-NO_SUCH_OBJECT-error-handling.patch -Patch6025: ITS-8878-Include-the-first-character-in-the-transfor.patch -Patch6026: ITS-8752-maybe-related.patch -Patch6027: ITS-8932-check-rdnNormalize-success.patch -Patch6028: ITS-8727-plug-ber-leaks.patch -Patch6029: ITS-8948-Fix-BDB-lib-to-only-be-linked-with-static-b.patch -Patch6030: ITS-8663-Fix-memberof-SLAP_CONFIG_EMIT.patch -Patch6031: ITS-8472-only-do-index-cleanup-if-DB-is-running.patch -Patch6032: ITS-8957-Fix-ASYNC-TLS.patch -Patch6033: ITS-8980-fix-async-connections-with-non-blocking-TLS.patch -Patch6034: CVE-2019-13057-1.patch -Patch6035: CVE-2019-13057-2.patch -Patch6036: CVE-2019-13057-3.patch -Patch6037: CVE-2019-13057-4.patch -Patch6038: CVE-2019-13565.patch -Patch6039: 0001-openldap-bugfix-make-test.patch -Patch6040: CVE-2020-12243.patch - -BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel +Patch6013: backport-ITS9160-OOM-Handing.patch +Patch6014: backport-fix-implicit-function-declaration.patch +Patch6040: CVE-2020-12243.patch + +BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel chrpath BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed %description @@ -141,8 +113,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch5 -p1 %patch17 -p1 %patch19 -p1 -%patch20 -p1 -%patch21 -p1 %patch6000 -p1 %patch6001 -p1 @@ -159,31 +129,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch6012 -p1 %patch6013 -p1 %patch6014 -p1 -%patch6015 -p1 -%patch6016 -p1 -%patch6017 -p1 -%patch6018 -p1 -%patch6019 -p1 -%patch6020 -p1 -%patch6021 -p1 -%patch6022 -p1 -%patch6023 -p1 -%patch6024 -p1 -%patch6025 -p1 -%patch6026 -p1 -%patch6027 -p1 -%patch6028 -p1 -%patch6029 -p1 -%patch6030 -p1 -%patch6031 -p1 -%patch6032 -p1 -%patch6033 -p1 -%patch6034 -p1 -%patch6035 -p1 -%patch6036 -p1 -%patch6037 -p1 -%patch6038 -p1 -%patch6039 -p1 %patch6040 -p1 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays @@ -322,6 +267,14 @@ rmdir %{buildroot}%{_localstatedir}/openldap-data %ldconfig_scriptlets +mkdir -p %{buildroot}/etc/ld.so.conf.d +echo "/usr/lib64/perl5/CORE" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf + +%check +pushd openldap-%{version} +make check +popd + %pre servers getent group ldap &>/dev/null || groupadd -r -g 55 ldap @@ -340,10 +293,9 @@ fi exit 0 - %post servers %systemd_post slapd.service - +/sbin/ldconfig if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \ ! -f %{_sysconfdir}/openldap/slapd.conf ]]; then @@ -380,7 +332,7 @@ exit 0 %postun servers %systemd_postun_with_restart slapd.service - +/sbin/ldconfig %triggerin servers -- libdb if [ $2 -eq 2 ]; then @@ -412,11 +364,6 @@ fi exit 0 -%check -pushd openldap-%{version} -make check -popd - %files %defattr(-,root,root) %license openldap-%{version}/COPYRIGHT @@ -442,6 +389,7 @@ popd %{_libexecdir}/openldap/upgrade-db.sh %{_sbindir}/sl* %ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf +%config(noreplace) /etc/ld.so.conf.d/* %files clients %defattr(-,root,root) @@ -467,11 +415,17 @@ popd %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd %changelog -* Thu May 14 2020 lijingyu - 2.4.46-16 -- Type:cves -- ID:CVE-2020-12243 +* Wed Apr 22 2020 songnannan - 2.4.49-2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:bugfix from the community of openldap + +* Fri Apr 17 2020 songnannan - 2.4.49-1 +- Type:bugfix +- ID:NA - SUG:NA -- DESC: fix CVE-2020-12243 +- DESC:update to 2.4.49 * Wed Mar 11 2020 songnannan - 2.4.46-15 - bugfix about conf file