summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/openldap-CVE-2020-12243.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/openldap-CVE-2020-12243.patch')
-rw-r--r--gnu/packages/patches/openldap-CVE-2020-12243.patch125
1 files changed, 0 insertions, 125 deletions
diff --git a/gnu/packages/patches/openldap-CVE-2020-12243.patch b/gnu/packages/patches/openldap-CVE-2020-12243.patch
deleted file mode 100644
index 6321998198..0000000000
--- a/gnu/packages/patches/openldap-CVE-2020-12243.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Thu, 16 Apr 2020 01:08:19 +0100
-Subject: [PATCH] ITS#9202 limit depth of nested filters
-
-Using a hardcoded limit for now; no reasonable apps
-should ever run into it.
----
- servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
- 1 file changed, 32 insertions(+), 9 deletions(-)
-
-diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
-index 3252cf2a7..ed57bbd7b 100644
---- a/servers/slapd/filter.c
-+++ b/servers/slapd/filter.c
-@@ -37,11 +37,16 @@
- const Filter *slap_filter_objectClass_pres;
- const struct berval *slap_filterstr_objectClass_pres;
-
-+#ifndef SLAPD_MAX_FILTER_DEPTH
-+#define SLAPD_MAX_FILTER_DEPTH 5000
-+#endif
-+
- static int get_filter_list(
- Operation *op,
- BerElement *ber,
- Filter **f,
-- const char **text );
-+ const char **text,
-+ int depth );
-
- static int get_ssa(
- Operation *op,
-@@ -80,12 +85,13 @@ filter_destroy( void )
- return;
- }
-
--int
--get_filter(
-+static int
-+get_filter0(
- Operation *op,
- BerElement *ber,
- Filter **filt,
-- const char **text )
-+ const char **text,
-+ int depth )
- {
- ber_tag_t tag;
- ber_len_t len;
-@@ -126,6 +132,11 @@ get_filter(
- *
- */
-
-+ if( depth > SLAPD_MAX_FILTER_DEPTH ) {
-+ *text = "filter nested too deeply";
-+ return SLAPD_DISCONNECT;
-+ }
-+
- tag = ber_peek_tag( ber, &len );
-
- if( tag == LBER_ERROR ) {
-@@ -221,7 +232,7 @@ get_filter(
-
- case LDAP_FILTER_AND:
- Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
-- err = get_filter_list( op, ber, &f.f_and, text );
-+ err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
- if ( err != LDAP_SUCCESS ) {
- break;
- }
-@@ -234,7 +245,7 @@ get_filter(
-
- case LDAP_FILTER_OR:
- Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
-- err = get_filter_list( op, ber, &f.f_or, text );
-+ err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
- if ( err != LDAP_SUCCESS ) {
- break;
- }
-@@ -248,7 +259,7 @@ get_filter(
- case LDAP_FILTER_NOT:
- Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
- (void) ber_skip_tag( ber, &len );
-- err = get_filter( op, ber, &f.f_not, text );
-+ err = get_filter0( op, ber, &f.f_not, text, depth+1 );
- if ( err != LDAP_SUCCESS ) {
- break;
- }
-@@ -311,10 +322,22 @@ get_filter(
- return( err );
- }
-
-+int
-+get_filter(
-+ Operation *op,
-+ BerElement *ber,
-+ Filter **filt,
-+ const char **text )
-+{
-+ return get_filter0( op, ber, filt, text, 0 );
-+}
-+
-+
- static int
- get_filter_list( Operation *op, BerElement *ber,
- Filter **f,
-- const char **text )
-+ const char **text,
-+ int depth )
- {
- Filter **new;
- int err;
-@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
- tag != LBER_DEFAULT;
- tag = ber_next_element( ber, &len, last ) )
- {
-- err = get_filter( op, ber, new, text );
-+ err = get_filter0( op, ber, new, text, depth );
- if ( err != LDAP_SUCCESS )
- return( err );
- new = &(*new)->f_next;
---
-2.26.2
-
generated by cgit v1.2.3 (git 2.45.2) at 2024-07-24 20:34:20 +0000