mirror of
https://git.openldap.org/openldap/openldap.git
synced 2026-06-09 08:42:22 -04:00
-llber hardening
This commit is contained in:
Kurt Zeilenga
parent
7d0486f907
commit
60de04c533
7 changed files with 82 additions and 23 deletions
|
|
@ -40,6 +40,8 @@ char *default_passwd_hash;
|
|||
char *default_search_base = NULL;
|
||||
char *default_search_nbase = NULL;
|
||||
|
||||
ber_len_t sockbuf_max_incoming = SLAP_SB_MAX_INCOMING_DEFAULT;
|
||||
|
||||
char *slapd_pid_file = NULL;
|
||||
char *slapd_args_file = NULL;
|
||||
|
||||
|
|
@ -168,6 +170,43 @@ read_config( const char *fname )
|
|||
|
||||
ldap_pvt_thread_set_concurrency( c );
|
||||
|
||||
/* set sockbuf max */
|
||||
} else if ( strcasecmp( cargv[0], "sockbuf_max_incoming" ) == 0 ) {
|
||||
long max;
|
||||
if ( cargc < 2 ) {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
|
||||
"%s: line %d: missing max in \"sockbuf_max_incoming <bytes\" line\n",
|
||||
fname, lineno ));
|
||||
#else
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: missing max in \"sockbuf_max_incoming <bytes\" line\n",
|
||||
fname, lineno, 0 );
|
||||
#endif
|
||||
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
max = atol( cargv[1] );
|
||||
|
||||
if( max < 0 ) {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
|
||||
"%s: line %d: invalid max value (%ld) in "
|
||||
"\"sockbuf_max_incoming <bytes>\" line.\n",
|
||||
fname, lineno, max ));
|
||||
#else
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: invalid max value (%ld) in "
|
||||
"\"sockbuf_max_incoming <bytes>\" line.\n",
|
||||
fname, lineno, max );
|
||||
#endif
|
||||
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
sockbuf_max_incoming = max;
|
||||
|
||||
/* default search base */
|
||||
} else if ( strcasecmp( cargv[0], "defaultSearchBase" ) == 0 ) {
|
||||
if ( cargc < 2 ) {
|
||||
|
|
|
|||
|
|
@ -362,33 +362,39 @@ long connection_init(
|
|||
|
||||
assert( c != NULL );
|
||||
|
||||
if( c->c_struct_state == SLAP_C_UNINITIALIZED ) {
|
||||
if( c->c_struct_state == SLAP_C_UNINITIALIZED ) {
|
||||
c->c_authmech = NULL;
|
||||
c->c_dn = NULL;
|
||||
c->c_cdn = NULL;
|
||||
c->c_dn = NULL;
|
||||
c->c_cdn = NULL;
|
||||
|
||||
c->c_listener_url = NULL;
|
||||
c->c_peer_domain = NULL;
|
||||
c->c_peer_name = NULL;
|
||||
c->c_sock_name = NULL;
|
||||
c->c_peer_name = NULL;
|
||||
c->c_sock_name = NULL;
|
||||
|
||||
c->c_ops = NULL;
|
||||
c->c_pending_ops = NULL;
|
||||
c->c_ops = NULL;
|
||||
c->c_pending_ops = NULL;
|
||||
|
||||
c->c_sasl_bind_mech = NULL;
|
||||
c->c_sasl_context = NULL;
|
||||
c->c_sasl_extra = NULL;
|
||||
|
||||
c->c_sb = ber_sockbuf_alloc( );
|
||||
c->c_sb = ber_sockbuf_alloc( );
|
||||
|
||||
{
|
||||
ber_len_t max = sockbuf_max_incoming;
|
||||
ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &max );
|
||||
}
|
||||
|
||||
c->c_currentber = NULL;
|
||||
|
||||
/* should check status of thread calls */
|
||||
ldap_pvt_thread_mutex_init( &c->c_mutex );
|
||||
ldap_pvt_thread_mutex_init( &c->c_write_mutex );
|
||||
ldap_pvt_thread_cond_init( &c->c_write_cv );
|
||||
/* should check status of thread calls */
|
||||
ldap_pvt_thread_mutex_init( &c->c_mutex );
|
||||
ldap_pvt_thread_mutex_init( &c->c_write_mutex );
|
||||
ldap_pvt_thread_cond_init( &c->c_write_cv );
|
||||
|
||||
c->c_struct_state = SLAP_C_UNUSED;
|
||||
}
|
||||
c->c_struct_state = SLAP_C_UNUSED;
|
||||
}
|
||||
|
||||
ldap_pvt_thread_mutex_lock( &c->c_mutex );
|
||||
|
||||
|
|
@ -576,9 +582,15 @@ connection_destroy( Connection *c )
|
|||
c->c_connid, sd, 0, 0, 0 );
|
||||
}
|
||||
|
||||
ber_sockbuf_free( c->c_sb );
|
||||
ber_sockbuf_free( c->c_sb );
|
||||
|
||||
c->c_sb = ber_sockbuf_alloc( );
|
||||
|
||||
{
|
||||
ber_len_t max = sockbuf_max_incoming;
|
||||
ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &max );
|
||||
}
|
||||
|
||||
c->c_conn_state = SLAP_C_INVALID;
|
||||
c->c_struct_state = SLAP_C_UNUSED;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -181,7 +181,7 @@ return_results:
|
|||
|
||||
if( sendres && rc != LDAP_SUCCESS ) {
|
||||
if( rc == SLAPD_DISCONNECT ) {
|
||||
send_ldap_disconnect( conn, op, rc, errmsg );
|
||||
send_ldap_disconnect( conn, op, LDAP_PROTOCOL_ERROR, errmsg );
|
||||
} else {
|
||||
send_ldap_result( conn, op, rc,
|
||||
NULL, errmsg, NULL, NULL );
|
||||
|
|
|
|||
|
|
@ -543,7 +543,7 @@ static Listener * slap_open_listener(
|
|||
|
||||
case AF_INET: {
|
||||
char *s;
|
||||
#ifdef HAVE_GETADDRINFO
|
||||
#if defined( HAVE_GETADDRINFO ) && defined( INET_NTOP )
|
||||
char addr[INET_ADDRSTRLEN];
|
||||
inet_ntop( AF_INET, &((struct sockaddr_in *)*sal)->sin_addr,
|
||||
addr, sizeof(addr) );
|
||||
|
|
|
|||
|
|
@ -264,8 +264,14 @@ entry2str(
|
|||
void
|
||||
entry_free( Entry *e )
|
||||
{
|
||||
Attribute *a, *next;
|
||||
/* free an entry structure */
|
||||
assert( e != NULL );
|
||||
|
||||
/* e_private must be freed by the caller */
|
||||
assert( e->e_private == NULL );
|
||||
e->e_private = NULL;
|
||||
|
||||
/* free DNs */
|
||||
if ( e->e_dn != NULL ) {
|
||||
free( e->e_dn );
|
||||
e->e_dn = NULL;
|
||||
|
|
@ -274,12 +280,11 @@ entry_free( Entry *e )
|
|||
free( e->e_ndn );
|
||||
e->e_ndn = NULL;
|
||||
}
|
||||
for ( a = e->e_attrs; a != NULL; a = next ) {
|
||||
next = a->a_next;
|
||||
attr_free( a );
|
||||
}
|
||||
|
||||
/* free attributes */
|
||||
attrs_free( e->e_attrs );
|
||||
e->e_attrs = NULL;
|
||||
e->e_private = NULL;
|
||||
|
||||
free( e );
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -760,6 +760,8 @@ LDAP_SLAPD_F (int) krbv4_ldap_auth();
|
|||
/*
|
||||
* Other...
|
||||
*/
|
||||
#define SLAP_SB_MAX_INCOMING_DEFAULT (1<<18 - 1)
|
||||
LDAP_SLAPD_F (ber_len_t) sockbuf_max_incoming;
|
||||
|
||||
LDAP_SLAPD_F (slap_mask_t) global_restrictops;
|
||||
LDAP_SLAPD_F (slap_mask_t) global_allows;
|
||||
|
|
|
|||
|
|
@ -58,6 +58,7 @@ LDAP_BEGIN_DECL
|
|||
|
||||
#define MAXREMATCHES 10
|
||||
|
||||
#define SLAP_MAX_INCOMING (1<<18 - 1)
|
||||
#define SLAP_MAX_WORKER_THREADS 32
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue