[389-commits] Branch '389-ds-base-1.3.1' - ldap/servers

thierry bordaz tbordaz at fedoraproject.org
Tue Jan 7 10:17:59 UTC 2014 

 ldap/servers/slapd/control.c |   32 +++++++++++++++++++++-----------
 1 file changed, 21 insertions(+), 11 deletions(-)

New commits:
commit dea2a254117f1e9f4be1068c6784b2780fec933f
Author: Thierry bordaz (tbordaz) <tbordaz at redhat.com>
Date:   Thu May 16 15:28:47 2013 +0200

    Ticket 571 (dup 47361) - Empty control list causes LDAP protocol error is thrown
    
    Bug Description:
    
    	If a request contains a list of controls containing zero control, it does
    	not conform RFC http://tools.ietf.org/html/rfc4511#section-4.1.11. Then the
    	server returns a Protocol Error.
    	This is too restrictive for some applications.
    	Note: such application needs to be linked with old version of mozldap or openldap
    	because recent version skip sending empty list of controls
    
    Fix Description:
    	The fix is to ignore this error and let the operation complete
    
    	Note: ticket 571 (bz 918717) is a duplicate of 47361 (bz 963234). 47361 was used to
    	backport in 1.2.11. 571 is used to backport in 1.3.1.
    	This bug is fixed since 1.3.2
    
    https://fedorahosted.org/389/ticket/571
    https://fedorahosted.org/389/ticket/47361
    
    Reviewed by: Rich Megginson (thanks Rich !)
    
    Platforms tested: F17 (unit + acceptance vlv/proxy/managed/psearch/tls/bindcontrol)
    
    Flag Day: no
    
    Doc impact: no

diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c
index fc3ab9f..e614d50 100644
--- a/ldap/servers/slapd/control.c
+++ b/ldap/servers/slapd/control.c
@@ -354,17 +354,27 @@ get_ldapmessage_controls_ext(
 		len = -1; /* reset for next loop iter */
 	}
 
-	if ( (tag != LBER_END_OF_SEQORSET) && (len != -1) ) {
-		goto free_and_return;
-	}
-
-	slapi_pblock_set( pb, SLAPI_REQCONTROLS, ctrls );
-	managedsait = slapi_control_present( ctrls,
-	    LDAP_CONTROL_MANAGEDSAIT, NULL, NULL );
-	slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, &managedsait );
-	pwpolicy_ctrl = slapi_control_present( ctrls,
-	    LDAP_X_CONTROL_PWPOLICY_REQUEST, NULL, NULL );
-	slapi_pblock_set( pb, SLAPI_PWPOLICY, &pwpolicy_ctrl );
+        if (curcontrols == 0) {
+                int ctrl_not_found = 0; /* means that a given control is not present in the request */
+                
+                slapi_pblock_set(pb, SLAPI_REQCONTROLS, NULL);
+                slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &ctrl_not_found);
+                slapi_pblock_set(pb, SLAPI_PWPOLICY, &ctrl_not_found);
+                slapi_log_error(SLAPI_LOG_CONNS, "connection", "Warning: conn=%d op=%d contains an empty list of controls\n",
+                        pb->pb_conn->c_connid, pb->pb_op->o_opid);
+        } else {
+                if ((tag != LBER_END_OF_SEQORSET) && (len != -1)) {
+                        goto free_and_return;
+                }
+
+                slapi_pblock_set(pb, SLAPI_REQCONTROLS, ctrls);
+                managedsait = slapi_control_present(ctrls,
+                        LDAP_CONTROL_MANAGEDSAIT, NULL, NULL);
+                slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &managedsait);
+                pwpolicy_ctrl = slapi_control_present(ctrls,
+                        LDAP_X_CONTROL_PWPOLICY_REQUEST, NULL, NULL);
+                slapi_pblock_set(pb, SLAPI_PWPOLICY, &pwpolicy_ctrl);
+        }
 
 	if ( controlsp != NULL ) {
 		*controlsp = ctrls;

More information about the 389-commits mailing list