Add security checks to root DSE searches.

Fix checking of require statements.
2025-12-24 08:39:37 -05:00 · 2001-02-03 02:21:37 +00:00 · 2001-02-03 02:21:37 +00:00 · 8091aedc76
commit 8091aedc76
parent 12e9ed8e12
3 changed files with 33 additions and 29 deletions
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@ -709,7 +709,7 @@ backend_check_restrictions(
 	Backend *be,
 	Connection *conn,
 	Operation *op,
-	const char *extoid,
+	const void *opdata,
 	const char **text )
 {
 	int rc;
@ -773,7 +773,9 @@ backend_check_restrictions(
 		return LDAP_OTHER;
 	}

-	if (( extoid == NULL || strcmp( extoid, LDAP_EXOP_START_TLS ) ) ) {
+	if ( op->o_tag != LDAP_REQ_EXTENDED
+		|| strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) )
+	{
 		/* these checks don't apply to StartTLS */

 		if( op->o_tag == LDAP_REQ_EXTENDED ) {
@ -818,10 +820,11 @@ backend_check_restrictions(
 		}
 	}

-	if (( extoid == NULL || strcmp( extoid, LDAP_EXOP_START_TLS ) )
-		|| op->o_tag == LDAP_REQ_BIND )
+	if ( op->o_tag != LDAP_REQ_BIND &&
+		( op->o_tag != LDAP_REQ_EXTENDED ||
+		  strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) ) )
 	{
-		/* these checks don't apply to StartTLS or Bind */
+		/* these checks don't apply to Bind or StartTLS */

 		if( requires & SLAP_REQUIRE_STRONG ) {
 			/* should check mechanism */
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@ -167,7 +167,7 @@ LDAP_SLAPD_F( int )	backend_check_restrictions LDAP_P((
 	BackendDB *be,
 	Connection *conn,
 	Operation *op,
-	const char *extoid,
+	const void *opdata,
 	const char **text ));

 LDAP_SLAPD_F( int )	backend_check_referrals LDAP_P((
--- a/servers/slapd/search.c
+++ b/servers/slapd/search.c
@ -197,6 +197,28 @@ do_search(
 	    "conn=%ld op=%d SRCH base=\"%s\" scope=%d filter=\"%s\"\n",
 	    op->o_connid, op->o_opid, base, scope, fstr );

+	manageDSAit = get_manageDSAit( op );
+
+	if( scope != LDAP_SCOPE_BASE && nbase[0] == '\0' &&
+		default_search_nbase != NULL )
+	{
+		ch_free( base );
+		ch_free( nbase );
+		base = ch_strdup( default_search_base );
+		nbase = ch_strdup( default_search_nbase );
+	}
+
+	/* Select backend */
+	be = select_backend( nbase, manageDSAit );
+
+	/* check restrictions */
+	rc = backend_check_restrictions( be, conn, op, NULL, &text ) ;
+	if( rc != LDAP_SUCCESS ) {
+		send_ldap_result( conn, op, rc,
+			NULL, text, NULL, NULL );
+		goto return_results;
+	}
+
 	if ( scope == LDAP_SCOPE_BASE ) {
 		Entry *entry = NULL;

@ -244,35 +266,14 @@ do_search(
 		}
 	}

-	if( nbase[0] == '\0' && default_search_nbase != NULL ) {
-		ch_free( base );
-		ch_free( nbase );
-		base = ch_strdup( default_search_base );
-		nbase = ch_strdup( default_search_nbase );
-	}
-
-	manageDSAit = get_manageDSAit( op );
-
-	/*
-	 * We could be serving multiple database backends.  Select the
-	 * appropriate one, or send a referral to our "referral server"
-	 * if we don't hold it.
-	 */
-	if ( (be = select_backend( nbase, manageDSAit )) == NULL ) {
+	if ( be == NULL ) {
+		/* no backend, return a referral (or noSuchObject) */
 		send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 			NULL, NULL, default_referral, NULL );

 		goto return_results;
 	}

-	/* check restrictions */
-	rc = backend_check_restrictions( be, conn, op, NULL, &text ) ;
-	if( rc != LDAP_SUCCESS ) {
-		send_ldap_result( conn, op, rc,
-			NULL, text, NULL, NULL );
-		goto return_results;
-	}
-
 	/* check for referrals */
 	rc = backend_check_referrals( be, conn, op, base, nbase );
 	if ( rc != LDAP_SUCCESS ) {