Branch 'Directory_Server_8_2_Branch' - ldap/servers
by Richard Allen Megginson
ldap/servers/plugins/dna/dna.c | 2 ++
ldap/servers/plugins/replication/repl5_protocol_util.c | 3 +--
ldap/servers/slapd/back-ldbm/import-threads.c | 2 ++
ldap/servers/slapd/backend.c | 1 +
ldap/servers/slapd/bind.c | 6 ++++++
ldap/servers/slapd/main.c | 11 +++++++++--
6 files changed, 21 insertions(+), 4 deletions(-)
New commits:
commit ac527ca719774ffa828125c7d12ea3b6a66f9511
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Thu Mar 4 14:23:46 2010 -0700
fix various memory leaks
Reviewed by: nhosoi (Thanks!)
var/tmp/run_gssapi.vg.25032:Memory leak: 99 bytes duplicates: 5
> malloc() at vg_replace_malloc.c:207
> strdup() at /lib/libc-2.10.2.so
> slapi_ch_strdup() at ch_malloc.c:277
> ids_sasl_check_bind() at saslbind.c:924
> do_bind() at bind.c:382
> connection_threadmain() at connection.c:554
> --unknown-- at /lib/libnspr4.so
> start_thread() at /lib/libpthread-2.10.2.so
> clone() at /lib/libc-2.10.2.so
The problem is that ids_sasl_check_bind can reset SLAPI_BIND_TARGET to
a malloc'd value. The do_bind() code should check for this condition
and free it.
var/tmp/entryusn.vg.5997:Memory leak: 8 bytes duplicates: 8
> calloc() at vg_replace_malloc.c:397
> slapi_ch_calloc() at ch_malloc.c:243
> slapi_counter_new() at slapi_counter.c:95
> ldbm_usn_init() at ldbm_usn.c:86
> ldbm_back_start() at start.c:223
> plugin_call_func() at plugin.c:1417
> plugin_dependency_startall.clone.0() at plugin.c:1385
> main() at main.c:1138
The backend cleanup code should free be_usn_counter.
var/tmp/ipv6.vg.15561:Memory leak: 13 bytes duplicates: 3
> malloc() at vg_replace_malloc.c:207
> strdup() at /lib/libc-2.10.2.so
> slapi_ch_strdup() at ch_malloc.c:277
> config_get_listenhost() at libglobs.c:3674
> main() at main.c:874
var/tmp/ipv6.vg.15561:Memory leak: 13 bytes duplicates: 3
> malloc() at vg_replace_malloc.c:207
> strdup() at /lib/libc-2.10.2.so
> slapi_ch_strdup() at ch_malloc.c:277
> config_get_securelistenhost() at libglobs.c:3686
> main() at main.c:881
config_get_listenhost() and config_get_securelistenhost() return malloc'd
memory which must be freed.
var/tmp/dna_scen1.vg.4901:Memory leak: 248 bytes duplicates: 1
> malloc() at vg_replace_malloc.c:207
> nslberi_malloc() at io.c:1677
> ber_flatten() at io.c:1604
> create_NSDS50ReplicationExtopPayload() at repl_extop.c:218
> NSDS50EndReplicationRequest_new() at repl_extop.c:265
> release_replica() at repl5_protocol_util.c:469
> repl5_inc_run() at repl5_inc_protocol.c:1187
> prot_thread_main() at repl5_protocol.c:341
> --unknown-- at /lib/libnspr4.so
> start_thread() at /lib/libpthread-2.10.2.so
> clone() at /lib/libc-2.10.2.so
The payload was not being freed under all function exit conditions. So, just free it immediately after use.
var/tmp/dnarun.vg.2491:Memory leak: 27 bytes duplicates: 0
> malloc() at vg_replace_malloc.c:207
> slapi_ch_malloc() at ch_malloc.c:155
> slapi_entry_attr_get_charptr() at entry.c:2432
> dna_parse_config_entry() at dna.c:816
> dna_pre_op() at dna.c:2587
> plugin_call_func() at plugin.c:1417
> plugin_call_plugins() at plugin.c:1379
> op_shared_add() at add.c:606
> do_add() at add.c:232
> connection_threadmain() at connection.c:564
> --unknown-- at /lib/libnspr4.so
> start_thread() at /lib/libpthread-2.10.2.so
> clone() at /lib/libc-2.10.2.so
The value was not being freed under all conditions.
==9877== 1,890 (252 direct, 1,638 indirect) bytes in 3 blocks are definitely lost in loss record 1,628 of 1,725
==9877== at 0x47E0E5C: calloc (vg_replace_malloc.c:397)
==9877== by 0x4819D89: slapi_ch_calloc (ch_malloc.c:243)
==9877== by 0x48284A6: slapi_entry_alloc (entry.c:1686)
==9877== by 0x4829BA5: str2entry_dupcheck (entry.c:631)
==9877== by 0x482BB5D: slapi_str2entry_ext (entry.c:1194)
==9877== by 0xB2A8E9D: import_producer (import-threads.c:541)
==9877== by 0x72E1990: (within /lib/libnspr4.so)
==9877== by 0x731E8F4: start_thread (in /lib/libpthread-2.10.2.so)
==9877== by 0x75B2FCD: clone (in /lib/libc-2.10.2.so)
Make sure the entry or backentry are freed.
(cherry picked from commit 64db7873c668ec17fc92aedc37cbd9f476ded605)
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index 4a99089..684d46d 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -833,6 +833,7 @@ dna_parse_config_entry(Slapi_Entry * e, int apply)
"dna_parse_config_entry: Unable to locate "
"shared configuration entry (%s)\n", value);
ret = DNA_FAILURE;
+ slapi_ch_free_string(&value);
goto bail;
} else {
slapi_entry_free(shared_e);
@@ -845,6 +846,7 @@ dna_parse_config_entry(Slapi_Entry * e, int apply)
* multi-part RDN for the shared config entry. */
entry->shared_cfg_dn = slapi_ch_smprintf("%s=%s+%s=%s,%s", DNA_HOSTNAME,
hostname, DNA_PORTNUM, portnum, value);
+ slapi_ch_free_string(&value);
slapi_dn_normalize(entry->shared_cfg_dn);
slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM,
diff --git a/ldap/servers/plugins/replication/repl5_protocol_util.c b/ldap/servers/plugins/replication/repl5_protocol_util.c
index f1b7036..3fbc978 100644
--- a/ldap/servers/plugins/replication/repl5_protocol_util.c
+++ b/ldap/servers/plugins/replication/repl5_protocol_util.c
@@ -470,6 +470,7 @@ release_replica(Private_Repl_Protocol *prp)
slapi_sdn_free(&replarea_sdn);
rc = conn_send_extended_operation(prp->conn,
REPL_END_NSDS50_REPLICATION_REQUEST_OID, payload, NULL /* update control */, &sent_message_id /* Message ID */);
+ ber_bvfree(payload); /* done with this - free it now */
if (0 != rc)
{
int operation, error;
@@ -538,8 +539,6 @@ release_replica(Private_Repl_Protocol *prp)
ber_bvecfree(ruv_bervals);
/* XXXggood free ruv_bervals if we got them for some reason */
}
- if (NULL != payload)
- ber_bvfree(payload);
if (NULL != retoid)
ldap_memfree(retoid);
if (NULL != retdata)
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index ebb3b56..d4b7af8 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -638,6 +638,7 @@ void import_producer(void *param)
}
if (job->flags & FLAG_ABORT) {
+ backentry_free(&ep);
goto error;
}
@@ -666,6 +667,7 @@ void import_producer(void *param)
DS_Sleep(sleeptime);
}
if (job->flags & FLAG_ABORT){
+ backentry_free(&ep);
goto error;
}
info->state = RUNNING;
diff --git a/ldap/servers/slapd/backend.c b/ldap/servers/slapd/backend.c
index 1fd198e..bdf977c 100644
--- a/ldap/servers/slapd/backend.c
+++ b/ldap/servers/slapd/backend.c
@@ -115,6 +115,7 @@ be_done(Slapi_Backend *be)
slapi_ch_free((void **)&be->be_backendconfig);
/* JCM char **be_include; ??? */
slapi_ch_free((void **)&be->be_name);
+ slapi_counter_destroy(&be->be_usn_counter);
PR_DestroyLock(be->be_state_lock);
if (be->be_lock != NULL)
{
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 79d8c5c..b2604c1 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -135,6 +135,7 @@ do_bind( Slapi_PBlock *pb )
Slapi_Entry *bind_target_entry = NULL;
int auto_bind = 0;
int minssf = 0;
+ char *test_bind_dn = NULL;
LDAPDebug( LDAP_DEBUG_TRACE, "do_bind\n", 0, 0, 0 );
@@ -745,6 +746,11 @@ do_bind( Slapi_PBlock *pb )
free_and_return:;
if (be)
slapi_be_Unlock(be);
+ slapi_pblock_get(pb, SLAPI_BIND_TARGET, &test_bind_dn);
+ if (test_bind_dn != slapi_sdn_get_ndn(&sdn)) {
+ /* set in sasl bind or some other bind plugin */
+ slapi_ch_free_string(&test_bind_dn);
+ }
slapi_sdn_done(&sdn);
slapi_ch_free_string( &saslmech );
slapi_ch_free( (void **)&cred.bv_val );
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index 3cad84b..f92c845 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -870,19 +870,26 @@ main( int argc, char **argv)
if ((slapd_exemode == SLAPD_EXEMODE_SLAPD) ||
(slapd_exemode == SLAPD_EXEMODE_REFERRAL)) {
+ char *listenhost = config_get_listenhost();
+ char *securelistenhost = config_get_securelistenhost();
ports_info.n_port = (unsigned short)n_port;
- if ( slapd_listenhost2addr( config_get_listenhost(),
+ if ( slapd_listenhost2addr( listenhost,
&ports_info.n_listenaddr ) != 0 ||
ports_info.n_listenaddr == NULL ) {
+ slapi_ch_free_string(&listenhost);
+ slapi_ch_free_string(&securelistenhost);
return(1);
}
+ slapi_ch_free_string(&listenhost);
ports_info.s_port = (unsigned short)s_port;
- if ( slapd_listenhost2addr( config_get_securelistenhost(),
+ if ( slapd_listenhost2addr( securelistenhost,
&ports_info.s_listenaddr ) != 0 ||
ports_info.s_listenaddr == NULL ) {
+ slapi_ch_free_string(&securelistenhost);
return(1);
}
+ slapi_ch_free_string(&securelistenhost);
#if defined(ENABLE_LDAPI)
if( config_get_ldapi_switch() &&
14 years, 1 month
ldap/servers
by Richard Allen Megginson
ldap/servers/plugins/dna/dna.c | 2 ++
ldap/servers/plugins/replication/repl5_protocol_util.c | 3 +--
ldap/servers/slapd/back-ldbm/import-threads.c | 6 ++++++
ldap/servers/slapd/backend.c | 1 +
ldap/servers/slapd/bind.c | 6 ++++++
ldap/servers/slapd/main.c | 11 +++++++++--
6 files changed, 25 insertions(+), 4 deletions(-)
New commits:
commit 64db7873c668ec17fc92aedc37cbd9f476ded605
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Thu Mar 4 14:02:29 2010 -0700
fix various memory leaks
Reviewed by: nhosoi (Thanks!)
var/tmp/run_gssapi.vg.25032:Memory leak: 99 bytes duplicates: 5
> malloc() at vg_replace_malloc.c:207
> strdup() at /lib/libc-2.10.2.so
> slapi_ch_strdup() at ch_malloc.c:277
> ids_sasl_check_bind() at saslbind.c:924
> do_bind() at bind.c:382
> connection_threadmain() at connection.c:554
> --unknown-- at /lib/libnspr4.so
> start_thread() at /lib/libpthread-2.10.2.so
> clone() at /lib/libc-2.10.2.so
The problem is that ids_sasl_check_bind can reset SLAPI_BIND_TARGET to
a malloc'd value. The do_bind() code should check for this condition
and free it.
var/tmp/entryusn.vg.5997:Memory leak: 8 bytes duplicates: 8
> calloc() at vg_replace_malloc.c:397
> slapi_ch_calloc() at ch_malloc.c:243
> slapi_counter_new() at slapi_counter.c:95
> ldbm_usn_init() at ldbm_usn.c:86
> ldbm_back_start() at start.c:223
> plugin_call_func() at plugin.c:1417
> plugin_dependency_startall.clone.0() at plugin.c:1385
> main() at main.c:1138
The backend cleanup code should free be_usn_counter.
var/tmp/ipv6.vg.15561:Memory leak: 13 bytes duplicates: 3
> malloc() at vg_replace_malloc.c:207
> strdup() at /lib/libc-2.10.2.so
> slapi_ch_strdup() at ch_malloc.c:277
> config_get_listenhost() at libglobs.c:3674
> main() at main.c:874
var/tmp/ipv6.vg.15561:Memory leak: 13 bytes duplicates: 3
> malloc() at vg_replace_malloc.c:207
> strdup() at /lib/libc-2.10.2.so
> slapi_ch_strdup() at ch_malloc.c:277
> config_get_securelistenhost() at libglobs.c:3686
> main() at main.c:881
config_get_listenhost() and config_get_securelistenhost() return malloc'd
memory which must be freed.
var/tmp/dna_scen1.vg.4901:Memory leak: 248 bytes duplicates: 1
> malloc() at vg_replace_malloc.c:207
> nslberi_malloc() at io.c:1677
> ber_flatten() at io.c:1604
> create_NSDS50ReplicationExtopPayload() at repl_extop.c:218
> NSDS50EndReplicationRequest_new() at repl_extop.c:265
> release_replica() at repl5_protocol_util.c:469
> repl5_inc_run() at repl5_inc_protocol.c:1187
> prot_thread_main() at repl5_protocol.c:341
> --unknown-- at /lib/libnspr4.so
> start_thread() at /lib/libpthread-2.10.2.so
> clone() at /lib/libc-2.10.2.so
The payload was not being freed under all function exit conditions. So, just free it immediately after use.
var/tmp/dnarun.vg.2491:Memory leak: 27 bytes duplicates: 0
> malloc() at vg_replace_malloc.c:207
> slapi_ch_malloc() at ch_malloc.c:155
> slapi_entry_attr_get_charptr() at entry.c:2432
> dna_parse_config_entry() at dna.c:816
> dna_pre_op() at dna.c:2587
> plugin_call_func() at plugin.c:1417
> plugin_call_plugins() at plugin.c:1379
> op_shared_add() at add.c:606
> do_add() at add.c:232
> connection_threadmain() at connection.c:564
> --unknown-- at /lib/libnspr4.so
> start_thread() at /lib/libpthread-2.10.2.so
> clone() at /lib/libc-2.10.2.so
The value was not being freed under all conditions.
==9877== 1,890 (252 direct, 1,638 indirect) bytes in 3 blocks are definitely lost in loss record 1,628 of 1,725
==9877== at 0x47E0E5C: calloc (vg_replace_malloc.c:397)
==9877== by 0x4819D89: slapi_ch_calloc (ch_malloc.c:243)
==9877== by 0x48284A6: slapi_entry_alloc (entry.c:1686)
==9877== by 0x4829BA5: str2entry_dupcheck (entry.c:631)
==9877== by 0x482BB5D: slapi_str2entry_ext (entry.c:1194)
==9877== by 0xB2A8E9D: import_producer (import-threads.c:541)
==9877== by 0x72E1990: (within /lib/libnspr4.so)
==9877== by 0x731E8F4: start_thread (in /lib/libpthread-2.10.2.so)
==9877== by 0x75B2FCD: clone (in /lib/libc-2.10.2.so)
Make sure the entry or backentry are freed.
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index 011821b..c82bf6b 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -833,6 +833,7 @@ dna_parse_config_entry(Slapi_Entry * e, int apply)
"dna_parse_config_entry: Unable to locate "
"shared configuration entry (%s)\n", value);
ret = DNA_FAILURE;
+ slapi_ch_free_string(&value);
goto bail;
} else {
slapi_entry_free(shared_e);
@@ -845,6 +846,7 @@ dna_parse_config_entry(Slapi_Entry * e, int apply)
* multi-part RDN for the shared config entry. */
entry->shared_cfg_dn = slapi_ch_smprintf("%s=%s+%s=%s,%s", DNA_HOSTNAME,
hostname, DNA_PORTNUM, portnum, value);
+ slapi_ch_free_string(&value);
slapi_dn_normalize(entry->shared_cfg_dn);
slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM,
diff --git a/ldap/servers/plugins/replication/repl5_protocol_util.c b/ldap/servers/plugins/replication/repl5_protocol_util.c
index f1b7036..3fbc978 100644
--- a/ldap/servers/plugins/replication/repl5_protocol_util.c
+++ b/ldap/servers/plugins/replication/repl5_protocol_util.c
@@ -470,6 +470,7 @@ release_replica(Private_Repl_Protocol *prp)
slapi_sdn_free(&replarea_sdn);
rc = conn_send_extended_operation(prp->conn,
REPL_END_NSDS50_REPLICATION_REQUEST_OID, payload, NULL /* update control */, &sent_message_id /* Message ID */);
+ ber_bvfree(payload); /* done with this - free it now */
if (0 != rc)
{
int operation, error;
@@ -538,8 +539,6 @@ release_replica(Private_Repl_Protocol *prp)
ber_bvecfree(ruv_bervals);
/* XXXggood free ruv_bervals if we got them for some reason */
}
- if (NULL != payload)
- ber_bvfree(payload);
if (NULL != retoid)
ldap_memfree(retoid);
if (NULL != retdata)
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index efcea3e..892fd8e 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -559,6 +559,10 @@ import_producer(void *param)
if (! import_entry_belongs_here(e, inst->inst_be)) {
/* silently skip */
+ if (e) {
+ slapi_entry_free(e);
+ }
+
continue;
}
@@ -661,6 +665,7 @@ import_producer(void *param)
}
if (job->flags & FLAG_ABORT) {
+ backentry_free(&ep);
goto error;
}
@@ -689,6 +694,7 @@ import_producer(void *param)
DS_Sleep(sleeptime);
}
if (job->flags & FLAG_ABORT){
+ backentry_free(&ep);
goto error;
}
info->state = RUNNING;
diff --git a/ldap/servers/slapd/backend.c b/ldap/servers/slapd/backend.c
index f57bc23..4b2d928 100644
--- a/ldap/servers/slapd/backend.c
+++ b/ldap/servers/slapd/backend.c
@@ -115,6 +115,7 @@ be_done(Slapi_Backend *be)
slapi_ch_free((void **)&be->be_backendconfig);
/* JCM char **be_include; ??? */
slapi_ch_free((void **)&be->be_name);
+ slapi_counter_destroy(&be->be_usn_counter);
PR_DestroyLock(be->be_state_lock);
if (be->be_lock != NULL)
{
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 8c5bc6b..3458ff6 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -135,6 +135,7 @@ do_bind( Slapi_PBlock *pb )
Slapi_Entry *bind_target_entry = NULL;
int auto_bind = 0;
int minssf = 0;
+ char *test_bind_dn = NULL;
LDAPDebug( LDAP_DEBUG_TRACE, "do_bind\n", 0, 0, 0 );
@@ -745,6 +746,11 @@ do_bind( Slapi_PBlock *pb )
free_and_return:;
if (be)
slapi_be_Unlock(be);
+ slapi_pblock_get(pb, SLAPI_BIND_TARGET, &test_bind_dn);
+ if (test_bind_dn != slapi_sdn_get_ndn(&sdn)) {
+ /* set in sasl bind or some other bind plugin */
+ slapi_ch_free_string(&test_bind_dn);
+ }
slapi_sdn_done(&sdn);
slapi_ch_free_string( &saslmech );
slapi_ch_free( (void **)&cred.bv_val );
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index 375fc4a..5023dcd 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -870,19 +870,26 @@ main( int argc, char **argv)
if ((slapd_exemode == SLAPD_EXEMODE_SLAPD) ||
(slapd_exemode == SLAPD_EXEMODE_REFERRAL)) {
+ char *listenhost = config_get_listenhost();
+ char *securelistenhost = config_get_securelistenhost();
ports_info.n_port = (unsigned short)n_port;
- if ( slapd_listenhost2addr( config_get_listenhost(),
+ if ( slapd_listenhost2addr( listenhost,
&ports_info.n_listenaddr ) != 0 ||
ports_info.n_listenaddr == NULL ) {
+ slapi_ch_free_string(&listenhost);
+ slapi_ch_free_string(&securelistenhost);
return(1);
}
+ slapi_ch_free_string(&listenhost);
ports_info.s_port = (unsigned short)s_port;
- if ( slapd_listenhost2addr( config_get_securelistenhost(),
+ if ( slapd_listenhost2addr( securelistenhost,
&ports_info.s_listenaddr ) != 0 ||
ports_info.s_listenaddr == NULL ) {
+ slapi_ch_free_string(&securelistenhost);
return(1);
}
+ slapi_ch_free_string(&securelistenhost);
#if defined(ENABLE_LDAPI)
if( config_get_ldapi_switch() &&
14 years, 1 month
Branch 'Directory_Server_8_2_Branch' - ldap/servers
by Noriko Hosoi
ldap/servers/plugins/replication/repl5.h | 2
ldap/servers/plugins/replication/repl5_agmt.c | 14 +++++-
ldap/servers/plugins/replication/repl5_protocol.c | 48 +++++++---------------
3 files changed, 28 insertions(+), 36 deletions(-)
New commits:
commit ca55f3291735c6c1aa75221293c02c9bec3faf67
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Mar 3 14:34:23 2010 -0800
539618 - Replication bulk import reports Invalid read/write
https://bugzilla.redhat.com/show_bug.cgi?id=539618
Back off this commit:
commit 4205086e4f237a52eb9113cd95f9cf87b39e9ed4
Date: Mon Feb 22 08:49:49 2010 -0800
since this change could cause the deadlock between the thread
eventually calling prot_free, which acquired the agreement lock,
and other threads waiting for the agreement lock, which prevents
the protocol stop.
Instead of waiting for prot_thread_main done in prot_free, let
prot_thread_main check the existence of the protocol field in
the agreement. If it's not available, prot_thread_main quits.
diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
index 332bfb8..97ce556 100644
--- a/ldap/servers/plugins/replication/repl5.h
+++ b/ldap/servers/plugins/replication/repl5.h
@@ -410,7 +410,7 @@ void prot_initialize_replica(Repl_Protocol *rp);
/* stop protocol session in progress */
void prot_stop(Repl_Protocol *rp);
void prot_delete(Repl_Protocol **rpp);
-void prot_free(Repl_Protocol **rpp, int wait_for_done);
+void prot_free(Repl_Protocol **rpp);
PRBool prot_set_active_protocol (Repl_Protocol *rp, PRBool total);
void prot_clear_active_protocol (Repl_Protocol *rp);
Repl_Connection *prot_get_connection(Repl_Protocol *rp);
diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
index 2571d33..13db1ac 100644
--- a/ldap/servers/plugins/replication/repl5_agmt.c
+++ b/ldap/servers/plugins/replication/repl5_agmt.c
@@ -558,7 +558,7 @@ agmt_start(Repl_Agmt *ra)
if (ra->protocol != NULL) {
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "replication already started for agreement \"%s\"\n", agmt_get_long_name(ra));
PR_Unlock(ra->lock);
- prot_free(&prot, 0);
+ prot_free(&prot);
return 0;
}
@@ -606,7 +606,7 @@ windows_agmt_start(Repl_Agmt *ra)
if (ra->protocol != NULL) {
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "replication already started for agreement \"%s\"\n", agmt_get_long_name(ra));
PR_Unlock(ra->lock);
- prot_free(&prot, 0);
+ prot_free(&prot);
return 0;
}
@@ -645,7 +645,7 @@ agmt_stop(Repl_Agmt *ra)
PR_Lock(ra->lock);
ra->stop_in_progress = PR_FALSE;
/* we do not reuse the protocol object so free it */
- prot_free(&ra->protocol, 1);
+ prot_free(&ra->protocol);
PR_Unlock(ra->lock);
return return_value;
}
@@ -2261,3 +2261,11 @@ ReplicaId agmt_get_consumerRID(Repl_Agmt *ra)
return ra->consumerRID;
}
+int
+agmt_has_protocol(Repl_Agmt *agmt)
+{
+ if (agmt) {
+ return NULL != agmt->protocol;
+ }
+ return 0;
+}
diff --git a/ldap/servers/plugins/replication/repl5_protocol.c b/ldap/servers/plugins/replication/repl5_protocol.c
index 4a50d0b..927c450 100644
--- a/ldap/servers/plugins/replication/repl5_protocol.c
+++ b/ldap/servers/plugins/replication/repl5_protocol.c
@@ -77,7 +77,6 @@ typedef struct repl_protocol
/* States */
#define STATE_FINISHED 503
-#define STATE_DONE 504
#define STATE_BAD_STATE_SHOULD_NEVER_HAPPEN 599
/* Forward declarations */
@@ -173,8 +172,9 @@ prot_get_agreement(Repl_Protocol *rp)
}
+
void
-prot_free(Repl_Protocol **rpp, int wait_for_done)
+prot_free(Repl_Protocol **rpp)
{
Repl_Protocol *rp = NULL;
PRIntervalTime interval;
@@ -182,30 +182,6 @@ prot_free(Repl_Protocol **rpp, int wait_for_done)
if (rpp == NULL || *rpp == NULL) return;
rp = *rpp;
- /*
- * This function has to wait until prot_thread_main exits if
- * prot_start is successfully called and prot_thread_main is
- * running. Otherwise, we may free Repl_Protocol while it's
- * being used.
- *
- * This function is supposed to be called when the protocol is
- * stopped either after prot_stop is called or when protocol
- * hasn't been started.
- *
- * The latter case: prot_free is called with wait_for_done = 0.
- * The former case: prot_free is called with wait_for_done = 1.
- * prot_stop had set STATE_FINISHED to next_state and stopped
- * the current activity. But depending upon the threads'
- * scheduling, prot_thread_main may not have gotten out of the
- * while loop at this moment. To make sure prot_thread_main
- * finished referring Repl_Protocol, we wait for the state set
- * to STATE_DONE.
- */
- interval = PR_MillisecondsToInterval(1000);
- while (wait_for_done && STATE_DONE != rp->state)
- {
- DS_Sleep(interval);
- }
PR_Lock(rp->lock);
if (NULL != rp->prp_incremental)
@@ -244,7 +220,7 @@ prot_delete(Repl_Protocol **rpp)
if (NULL != rp)
{
prot_stop(rp);
- prot_free(rpp, 1);
+ prot_free(rpp);
}
}
@@ -316,11 +292,13 @@ prot_thread_main(void *arg)
{
Repl_Protocol *rp = (Repl_Protocol *)arg;
int done;
+ Repl_Agmt *agmt = NULL;
PR_ASSERT(NULL != rp);
- if (rp->agmt) {
- set_thread_private_agmtname (agmt_get_long_name(rp->agmt));
+ agmt = rp->agmt;
+ if (agmt) {
+ set_thread_private_agmtname (agmt_get_long_name(agmt));
}
done = 0;
@@ -352,7 +330,7 @@ prot_thread_main(void *arg)
dev_debug("prot_thread_main(STATE_PERFORMING_TOTAL_UPDATE): end");
/* update the agreement entry to notify clients that
replica initialization is completed. */
- agmt_replica_init_done (rp->agmt);
+ agmt_replica_init_done (agmt);
break;
case STATE_FINISHED:
@@ -360,9 +338,15 @@ prot_thread_main(void *arg)
done = 1;
break;
}
- rp->state = rp->next_state;
+ if (agmt_has_protocol(agmt))
+ {
+ rp->state = rp->next_state;
+ }
+ else
+ {
+ done = 1;
+ }
}
- rp->state = STATE_DONE;
}
14 years, 1 month
ldap/servers
by Noriko Hosoi
ldap/servers/plugins/replication/repl5.h | 2
ldap/servers/plugins/replication/repl5_agmt.c | 14 ++++--
ldap/servers/plugins/replication/repl5_protocol.c | 49 ++++++----------------
3 files changed, 27 insertions(+), 38 deletions(-)
New commits:
commit be57c970629e65df13921d4628dddc30457110cc
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Mar 3 10:37:18 2010 -0800
539618 - Replication bulk import reports Invalid read/write
https://bugzilla.redhat.com/show_bug.cgi?id=539618
Back off this commit:
commit 4205086e4f237a52eb9113cd95f9cf87b39e9ed4
Date: Mon Feb 22 08:49:49 2010 -0800
since this change could cause the deadlock between the thread
eventually calling prot_free, which acquired the agreement lock,
and other threads waiting for the agreement lock, which prevents
the protocol stop.
Instead of waiting for prot_thread_main done in prot_free, let
prot_thread_main check the existence of the protocol field in
the agreement. If it's not available, prot_thread_main quits.
diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
index 332bfb8..97ce556 100644
--- a/ldap/servers/plugins/replication/repl5.h
+++ b/ldap/servers/plugins/replication/repl5.h
@@ -410,7 +410,7 @@ void prot_initialize_replica(Repl_Protocol *rp);
/* stop protocol session in progress */
void prot_stop(Repl_Protocol *rp);
void prot_delete(Repl_Protocol **rpp);
-void prot_free(Repl_Protocol **rpp, int wait_for_done);
+void prot_free(Repl_Protocol **rpp);
PRBool prot_set_active_protocol (Repl_Protocol *rp, PRBool total);
void prot_clear_active_protocol (Repl_Protocol *rp);
Repl_Connection *prot_get_connection(Repl_Protocol *rp);
diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
index 2571d33..13db1ac 100644
--- a/ldap/servers/plugins/replication/repl5_agmt.c
+++ b/ldap/servers/plugins/replication/repl5_agmt.c
@@ -558,7 +558,7 @@ agmt_start(Repl_Agmt *ra)
if (ra->protocol != NULL) {
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "replication already started for agreement \"%s\"\n", agmt_get_long_name(ra));
PR_Unlock(ra->lock);
- prot_free(&prot, 0);
+ prot_free(&prot);
return 0;
}
@@ -606,7 +606,7 @@ windows_agmt_start(Repl_Agmt *ra)
if (ra->protocol != NULL) {
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "replication already started for agreement \"%s\"\n", agmt_get_long_name(ra));
PR_Unlock(ra->lock);
- prot_free(&prot, 0);
+ prot_free(&prot);
return 0;
}
@@ -645,7 +645,7 @@ agmt_stop(Repl_Agmt *ra)
PR_Lock(ra->lock);
ra->stop_in_progress = PR_FALSE;
/* we do not reuse the protocol object so free it */
- prot_free(&ra->protocol, 1);
+ prot_free(&ra->protocol);
PR_Unlock(ra->lock);
return return_value;
}
@@ -2261,3 +2261,11 @@ ReplicaId agmt_get_consumerRID(Repl_Agmt *ra)
return ra->consumerRID;
}
+int
+agmt_has_protocol(Repl_Agmt *agmt)
+{
+ if (agmt) {
+ return NULL != agmt->protocol;
+ }
+ return 0;
+}
diff --git a/ldap/servers/plugins/replication/repl5_protocol.c b/ldap/servers/plugins/replication/repl5_protocol.c
index e909ed4..927c450 100644
--- a/ldap/servers/plugins/replication/repl5_protocol.c
+++ b/ldap/servers/plugins/replication/repl5_protocol.c
@@ -77,7 +77,6 @@ typedef struct repl_protocol
/* States */
#define STATE_FINISHED 503
-#define STATE_DONE 504
#define STATE_BAD_STATE_SHOULD_NEVER_HAPPEN 599
/* Forward declarations */
@@ -174,10 +173,8 @@ prot_get_agreement(Repl_Protocol *rp)
-/*
- */
void
-prot_free(Repl_Protocol **rpp, int wait_for_done)
+prot_free(Repl_Protocol **rpp)
{
Repl_Protocol *rp = NULL;
PRIntervalTime interval;
@@ -185,30 +182,6 @@ prot_free(Repl_Protocol **rpp, int wait_for_done)
if (rpp == NULL || *rpp == NULL) return;
rp = *rpp;
- /*
- * This function has to wait until prot_thread_main exits if
- * prot_start is successfully called and prot_thread_main is
- * running. Otherwise, we may free Repl_Protocol while it's
- * being used.
- *
- * This function is supposed to be called when the protocol is
- * stopped either after prot_stop is called or when protocol
- * hasn't been started.
- *
- * The latter case: prot_free is called with wait_for_done = 0.
- * The former case: prot_free is called with wait_for_done = 1.
- * prot_stop had set STATE_FINISHED to next_state and stopped
- * the current activity. But depending upon the threads'
- * scheduling, prot_thread_main may not have gotten out of the
- * while loop at this moment. To make sure prot_thread_main
- * finished referring Repl_Protocol, we wait for the state set
- * to STATE_DONE.
- */
- interval = PR_MillisecondsToInterval(1000);
- while (wait_for_done && STATE_DONE != rp->state)
- {
- DS_Sleep(interval);
- }
PR_Lock(rp->lock);
if (NULL != rp->prp_incremental)
@@ -247,7 +220,7 @@ prot_delete(Repl_Protocol **rpp)
if (NULL != rp)
{
prot_stop(rp);
- prot_free(rpp, 1);
+ prot_free(rpp);
}
}
@@ -319,11 +292,13 @@ prot_thread_main(void *arg)
{
Repl_Protocol *rp = (Repl_Protocol *)arg;
int done;
+ Repl_Agmt *agmt = NULL;
PR_ASSERT(NULL != rp);
- if (rp->agmt) {
- set_thread_private_agmtname (agmt_get_long_name(rp->agmt));
+ agmt = rp->agmt;
+ if (agmt) {
+ set_thread_private_agmtname (agmt_get_long_name(agmt));
}
done = 0;
@@ -355,7 +330,7 @@ prot_thread_main(void *arg)
dev_debug("prot_thread_main(STATE_PERFORMING_TOTAL_UPDATE): end");
/* update the agreement entry to notify clients that
replica initialization is completed. */
- agmt_replica_init_done (rp->agmt);
+ agmt_replica_init_done (agmt);
break;
case STATE_FINISHED:
@@ -363,9 +338,15 @@ prot_thread_main(void *arg)
done = 1;
break;
}
- rp->state = rp->next_state;
+ if (agmt_has_protocol(agmt))
+ {
+ rp->state = rp->next_state;
+ }
+ else
+ {
+ done = 1;
+ }
}
- rp->state = STATE_DONE;
}
14 years, 1 month
ldap/admin
by Richard Allen Megginson
ldap/admin/src/scripts/DSUtil.pm.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit e8f50642bd3e19ad528b453850304611ab86506d
Author: Endi S. Dewata <edewata(a)redhat.com>
Date: Wed Mar 3 13:25:45 2010 -0600
Bug 545620 - Password cannot start with minus sign
https://bugzilla.redhat.com/show_bug.cgi?id=545620
Previously getopt would interpret initial '-' in root password
as an option which could lead to setup failure. Now a special
argument '--' has been added before the password to distinguish
it from other options.
diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in
index 7e846d7..79586db 100644
--- a/ldap/admin/src/scripts/DSUtil.pm.in
+++ b/ldap/admin/src/scripts/DSUtil.pm.in
@@ -736,7 +736,7 @@ sub getHashedPassword {
if ($alg) {
$cmd .= " -s $alg";
}
- $cmd .= " " . shellEscape($pwd);
+ $cmd .= " -- " . shellEscape($pwd);
my $hashedpwd = `$cmd`;
chomp($hashedpwd);
14 years, 1 month
VERSION.sh
by Richard Allen Megginson
VERSION.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 7eef51d2b9cf6d915b568f54afa1e979a0cb1796
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Tue Mar 2 13:28:33 2010 -0700
bump version to 1.1.11.a3
diff --git a/VERSION.sh b/VERSION.sh
index 3541ac3..ddac7d4 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -15,7 +15,7 @@ VERSION_MAINT=11
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
-VERSION_PREREL=.a2
+VERSION_PREREL=.a3
# NOTES on VERSION_PREREL
# use aN for an alpha release e.g. a1, a2, etc.
# use rcN for a release candidate e.g. rc1, rc2, etc.
14 years, 1 month
Changes to 'refs/tags/389-ds-base-1.2.6.a2'
by Richard Allen Megginson
Changes since 389-ds-base-1.2.6.a1:
Nathan Kinder (3):
Bug 549554 - Trim single-valued attributes before sending to AD
Improve search for pcre header file
Bug 434735 - Allow SASL ANONYMOUS mech to work
Noriko Hosoi (16):
544089 - Referential Integrity Plugin does not take into account the attribute
557224 - subtree rename breaks the referential integrity plug-in
247413 - Incorrect error on multiple identical value add
559016 - Attempting to rename suffix returns inappropriate errors
555577 - Syntax validation fails for "ou=NetscapeRoot" tree
Undo - 555577 - Syntax validation fails for "ou=NetscapeRoot" tree
560827 - Admin Server templates: DistinguishName validation fails
548535 - memory leak in attrcrypt
563365 - Error handling problems in the backend functions
565664 - Incorrect parameter for CACHE_RETURN()
565987 - redhat-ds-base fails to build due to undefined struct
527848 - make sure db upgrade to 4.7 and later works correctly
539618 - Replication bulk import reports Invalid read/write
567370 - dncache: assertion failure in id2entry_delete
548115 - memory leak in schema reload
555970 - missing read lock in the combination of cos and nsview
Rich Megginson (20):
Net::LDAP password modify extop breaks; msgid in response is 0xFF
Clean up assert for entrydn
Bug 543080 - Bitwise plugin fails to return the exact matched entries for Bitwise search filter
Bug 537466 - nsslapd-distribution-plugin should not require plugin name to begin with "lib"
bump version to 1.2.6.a2
Do not use syntax plugins directly for filters, indexing
wrap new style matching rule plugins for use in old style indexing code
change extensible filter code to use new syntax function style mr funcs
change syntax plugins to register required matching rule plugins
crash looking up compat syntax; numeric string syntax using integer; make octet string ordering work correctly
fix memory leak in attr replace when replacement fails
fix dso linking issues found by fedora 13 linking
problems linking with -z defs
389 DS segfaults on libsyntax-plugin.so - part 1
389 DS segfaults on libsyntax-plugin.so - part 2
389 DS segfaults on libsyntax-plugin.so - part 3
Bug 460162 - FedoraDS "with-FHS" installs init.d StartupScript in wrong location on non-RHEL/Fedora OS
Bug 568196 - Install DS8.2 on Solaris fails
Bug 568196 - Install DS8.2 on Solaris fails - part 2
Bug 551198 - LDAPI: incorrect logging to access log
---
Makefile.am | 54 -
Makefile.in | 203 ++--
VERSION.sh | 2
configure | 118 +-
configure.ac | 38
include/i18n.h | 115 --
ldap/admin/src/scripts/DSUtil.pm.in | 31
ldap/admin/src/scripts/start-dirsrv.in | 4
ldap/admin/src/scripts/template-bak2db.in | 2
ldap/admin/src/scripts/template-db2bak.in | 2
ldap/admin/src/scripts/template-db2index.in | 2
ldap/admin/src/scripts/template-db2ldif.in | 2
ldap/admin/src/scripts/template-dbverify.in | 2
ldap/admin/src/scripts/template-ldif2db.in | 2
ldap/admin/src/scripts/template-restoreconfig.in | 4
ldap/admin/src/scripts/template-saveconfig.in | 4
ldap/admin/src/scripts/template-suffix2instance.in | 4
ldap/admin/src/scripts/template-upgradedb.in | 4
ldap/admin/src/scripts/template-vlvindex.in | 4
ldap/schema/05rfc4523.ldif | 14
ldap/servers/plugins/bitwise/bitwise.c | 18
ldap/servers/plugins/referint/referint.c | 684 ++++++++++-----
ldap/servers/plugins/replication/cl5_api.c | 38
ldap/servers/plugins/replication/repl5.h | 2
ldap/servers/plugins/replication/repl5_agmt.c | 8
ldap/servers/plugins/replication/repl5_protocol.c | 34
ldap/servers/plugins/replication/windows_protocol_util.c | 203 +++-
ldap/servers/plugins/syntaxes/bin.c | 142 ++-
ldap/servers/plugins/syntaxes/bitstring.c | 36
ldap/servers/plugins/syntaxes/ces.c | 139 +++
ldap/servers/plugins/syntaxes/cis.c | 256 +++++
ldap/servers/plugins/syntaxes/dn.c | 42
ldap/servers/plugins/syntaxes/int.c | 64 +
ldap/servers/plugins/syntaxes/nameoptuid.c | 41
ldap/servers/plugins/syntaxes/numericstring.c | 118 +-
ldap/servers/plugins/syntaxes/string.c | 6
ldap/servers/plugins/syntaxes/syntax.h | 56 +
ldap/servers/plugins/syntaxes/syntax_common.c | 117 ++
ldap/servers/plugins/syntaxes/tel.c | 62 +
ldap/servers/plugins/views/views.c | 4
ldap/servers/slapd/attr.c | 76 +
ldap/servers/slapd/attrsyntax.c | 55 +
ldap/servers/slapd/back-ldbm/back-ldbm.h | 4
ldap/servers/slapd/back-ldbm/dblayer.c | 99 +-
ldap/servers/slapd/back-ldbm/filterindex.c | 76 -
ldap/servers/slapd/back-ldbm/id2entry.c | 12
ldap/servers/slapd/back-ldbm/index.c | 20
ldap/servers/slapd/back-ldbm/ldbm_add.c | 67 -
ldap/servers/slapd/back-ldbm/ldbm_attr.c | 115 +-
ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c | 28
ldap/servers/slapd/back-ldbm/ldbm_delete.c | 53 -
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 19
ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 71 +
ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 4
ldap/servers/slapd/back-ldbm/matchrule.c | 26
ldap/servers/slapd/back-ldbm/misc.c | 2
ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 4
ldap/servers/slapd/back-ldbm/sort.c | 8
ldap/servers/slapd/back-ldbm/vlv.c | 22
ldap/servers/slapd/back-ldbm/vlv_srch.c | 4
ldap/servers/slapd/back-ldbm/vlv_srch.h | 3
ldap/servers/slapd/bind.c | 76 -
ldap/servers/slapd/connection.c | 26
ldap/servers/slapd/dse.c | 13
ldap/servers/slapd/dynalib.c | 27
ldap/servers/slapd/entry.c | 23
ldap/servers/slapd/entrywsi.c | 4
ldap/servers/slapd/filter.h | 1
ldap/servers/slapd/filtercmp.c | 19
ldap/servers/slapd/ldaputil.c | 75 +
ldap/servers/slapd/libglobs.c | 1
ldap/servers/slapd/mapping_tree.c | 51 +
ldap/servers/slapd/match.c | 57 +
ldap/servers/slapd/modrdn.c | 25
ldap/servers/slapd/pblock.c | 110 ++
ldap/servers/slapd/plugin_mr.c | 472 ++++++++++
ldap/servers/slapd/plugin_syntax.c | 335 ++++++-
ldap/servers/slapd/proto-slap.h | 26
ldap/servers/slapd/result.c | 4
ldap/servers/slapd/saslbind.c | 27
ldap/servers/slapd/schema.c | 12
ldap/servers/slapd/slap.h | 30
ldap/servers/slapd/slapi-plugin-compat4.h | 6
ldap/servers/slapd/slapi-plugin.h | 65 +
ldap/servers/slapd/tools/ldclt/ldapfct.c | 96 ++
ldap/servers/slapd/tools/ldclt/ldclt.c | 19
ldap/servers/slapd/tools/ldclt/ldcltU.c | 24
ldap/servers/slapd/valueset.c | 52 -
lib/libsi18n/coreres.c | 141 ---
lib/libsi18n/coreres.h | 52 -
lib/libsi18n/getlang.c | 330 -------
lib/libsi18n/getstrmem.c | 160 ---
lib/libsi18n/getstrprop.c | 85 -
lib/libsi18n/propset.c | 442 ---------
lib/libsi18n/propset.h | 80 -
m4/pcre.m4 | 7
wrappers/migratecred.in | 2
wrappers/mmldif.in | 2
wrappers/pwdhash.in | 2
99 files changed, 3981 insertions(+), 2447 deletions(-)
---
14 years, 1 month
VERSION.sh
by Richard Allen Megginson
VERSION.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 0f6734d1b559d5c798e6c56d05d1a0affff2b455
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Tue Mar 2 13:18:27 2010 -0700
bump version to 1.2.6.a3
diff --git a/VERSION.sh b/VERSION.sh
index 00cdcdf..c11ca1c 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -14,7 +14,7 @@ VERSION_MAINT=6
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
-VERSION_PREREL=.a2
+VERSION_PREREL=.a3
# NOTES on VERSION_PREREL
# use aN for an alpha release e.g. a1, a2, etc.
# use rcN for a release candidate e.g. rc1, rc2, etc.
14 years, 1 month
mod_nss mod_nss.c, 1.17, 1.18 mod_nss.h, 1.20, 1.21 nss_engine_config.c, 1.15, 1.16 nss_engine_init.c, 1.34, 1.35
by Rob Crittenden
Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13310
Modified Files:
mod_nss.c mod_nss.h nss_engine_config.c nss_engine_init.c
Log Message:
Add controls for managing SSL renegotiation
NSS is introducing some new controls in response to CVE-2009-3555,
MITM attacks via session renegotiation. This patch adds some tuning
so these options can be set at run time.
Patch contributed by Kai Engert based on some early work by Rob
Crittenden.
Index: mod_nss.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- mod_nss.c 18 Oct 2007 18:26:21 -0000 1.17
+++ mod_nss.c 2 Mar 2010 20:12:04 -0000 1.18
@@ -97,6 +97,14 @@
SSL_CMD_SRV(Nickname, TAKE1,
"SSL RSA Server Certificate nickname "
"(`Server-Cert'")
+#ifdef SSL_ENABLE_RENEGOTIATION
+ SSL_CMD_SRV(Renegotiation, FLAG,
+ "Enable SSL Renegotiation (default off) "
+ "(`on', `off')")
+ SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
+ "If Rengotiation is allowed, require safe negotiation (default off) "
+ "(`on', `off')")
+#endif
#ifdef NSS_ENABLE_ECC
SSL_CMD_SRV(ECCNickname, TAKE1,
"SSL ECC Server Certificate nickname "
Index: mod_nss.h
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.h,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- mod_nss.h 9 May 2008 14:17:38 -0000 1.20
+++ mod_nss.h 2 Mar 2010 20:12:04 -0000 1.21
@@ -269,6 +269,10 @@
int tls;
int tlsrollback;
int enforce;
+#ifdef SSL_ENABLE_RENEGOTIATION
+ int enablerenegotiation;
+ int requiresafenegotiation;
+#endif
const char *nickname;
#ifdef NSS_ENABLE_ECC
const char *eccnickname;
@@ -383,6 +387,10 @@
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
+#endif
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
#endif
Index: nss_engine_config.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_config.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- nss_engine_config.c 7 Jun 2007 14:58:09 -0000 1.15
+++ nss_engine_config.c 2 Mar 2010 20:12:05 -0000 1.16
@@ -78,6 +78,10 @@
mctx->tls = PR_FALSE;
mctx->tlsrollback = PR_FALSE;
+#ifdef SSL_ENABLE_RENEGOTIATION
+ mctx->enablerenegotiation = PR_FALSE;
+ mctx->requiresafenegotiation = PR_FALSE;
+#endif
mctx->enforce = PR_TRUE;
mctx->nickname = NULL;
#ifdef NSS_ENABLE_ECC
@@ -174,6 +178,10 @@
cfgMerge(eccnickname, NULL);
#endif
cfgMerge(enforce, PR_TRUE);
+#ifdef SSL_ENABLE_RENEGOTIATION
+ cfgMerge(enablerenegotiation, PR_FALSE);
+ cfgMerge(requiresafenegotiation, PR_FALSE);
+#endif
}
static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base,
@@ -461,6 +469,26 @@
return NULL;
}
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+#endif
+
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
void *dcfg,
Index: nss_engine_init.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_init.c,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- nss_engine_init.c 16 Jul 2008 15:15:39 -0000 1.34
+++ nss_engine_init.c 2 Mar 2010 20:12:05 -0000 1.35
@@ -548,6 +548,24 @@
nss_die();
}
}
+#ifdef SSL_ENABLE_RENEGOTIATION
+ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION,
+ mctx->enablerenegotiation ?
+ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER
+ ) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Unable to set SSL renegotiation");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION,
+ mctx->requiresafenegotiation) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Unable to set SSL safe negotiation");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+#endif
}
static void nss_init_ctx_protocol(server_rec *s,
14 years, 1 month
ldap/servers
by Richard Allen Megginson
ldap/servers/slapd/connection.c | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
New commits:
commit 142900b2757378bfbff34e3f390fcb1a292eea91
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Mon Mar 1 15:03:30 2010 -0700
Bug 551198 - LDAPI: incorrect logging to access log
https://bugzilla.redhat.com/show_bug.cgi?id=551198
Resolves: bug 551198
Bug Description: LDAPI: incorrect logging to access log
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: The connection logging code was not ldapi/unix socket
aware. Now we check for the socket type, and check to see if there is
a proper path name in the path field. The "server" side of the socket
seems not to get the path name set correctly - not sure why, but it doesn't
really matter, since the client side path name does seem to be set
correctly. The access log will contain the server side path and the client
side path, so something like "from local to /var/run/slapd-foo.socket"
Platforms tested: RHEL5 x86_64, Fedora 11 x86_64
Flag Day: no
Doc impact: no
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index 5c8decb..8686d16 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -242,7 +242,22 @@ connection_reset(Connection* conn, int ns, PRNetAddr * from, int fromLen, int is
* get peer address (IP address of this client)
*/
slapi_ch_free( (void**)&conn->cin_addr ); /* just to be conservative */
- if ( ((from->ipv6.ip.pr_s6_addr32[0] != 0) || /* from contains non zeros */
+ if ( from->raw.family == PR_AF_LOCAL ) { /* ldapi */
+ conn->cin_addr = (PRNetAddr *) slapi_ch_malloc( sizeof( PRNetAddr ) );
+ PL_strncpyz(buf_ip, from->local.path, sizeof(from->local.path));
+ memcpy( conn->cin_addr, from, sizeof( PRNetAddr ) );
+ if (!buf_ip[0]) {
+ PR_GetPeerName( conn->c_prfd, from );
+ PL_strncpyz(buf_ip, from->local.path, sizeof(from->local.path));
+ memcpy( conn->cin_addr, from, sizeof( PRNetAddr ) );
+ }
+ if (!buf_ip[0]) {
+ /* cannot derive local address */
+ /* need something for logging */
+ PL_strncpyz(buf_ip, "local", sizeof(buf_ip));
+ }
+ str_ip = buf_ip;
+ } else if ( ((from->ipv6.ip.pr_s6_addr32[0] != 0) || /* from contains non zeros */
(from->ipv6.ip.pr_s6_addr32[1] != 0) ||
(from->ipv6.ip.pr_s6_addr32[2] != 0) ||
(from->ipv6.ip.pr_s6_addr32[3] != 0)) ||
@@ -261,7 +276,6 @@ connection_reset(Connection* conn, int ns, PRNetAddr * from, int fromLen, int is
}
buf_ip[ sizeof( buf_ip ) - 1 ] = '\0';
str_ip = buf_ip;
-
} else {
/* try syscall since "from" was not given and PR_GetPeerName failed */
/* a corner case */
@@ -307,7 +321,13 @@ connection_reset(Connection* conn, int ns, PRNetAddr * from, int fromLen, int is
conn->cin_destaddr = (PRNetAddr *) slapi_ch_malloc( sizeof( PRNetAddr ) );
memset( conn->cin_destaddr, 0, sizeof( PRNetAddr ));
if (PR_GetSockName( conn->c_prfd, conn->cin_destaddr ) == 0) {
- if ( PR_IsNetAddrType( conn->cin_destaddr, PR_IpAddrV4Mapped ) ) {
+ if ( conn->cin_destaddr->raw.family == PR_AF_LOCAL ) { /* ldapi */
+ PL_strncpyz(buf_destip, conn->cin_destaddr->local.path,
+ sizeof(conn->cin_destaddr->local.path));
+ if (!buf_destip[0]) {
+ PL_strncpyz(buf_destip, "unknown local file", sizeof(buf_destip));
+ }
+ } else if ( PR_IsNetAddrType( conn->cin_destaddr, PR_IpAddrV4Mapped ) ) {
PRNetAddr v4destaddr;
memset( &v4destaddr, 0, sizeof( v4destaddr ) );
v4destaddr.inet.family = PR_AF_INET;
14 years, 1 month