[Fedora-directory-commits] ldapserver/ldap/servers/plugins/syntaxes string.c, 1.10, 1.11

Noriko Hosoi (nhosoi) fedora-directory-commits at redhat.com
Mon Jun 30 17:28:18 UTC 2008 

Author: nhosoi

Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/syntaxes
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26906/plugins/syntaxes

Modified Files:
	string.c 
Log Message:
Resoves: #448831
Summary: attacker can tie up CPU in regex code
Description: when substring search is requested, sets the time limit based upon
the nsslapd-timelimit value.  Pass the timelimit (time_up) to the regular
expression function.  When the time is up, it returns the "Timelimit exceeded"
error.	Note: timelimit is applied non-Directory Manager users.



Index: string.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/syntaxes/string.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- string.c	29 Apr 2008 00:38:36 -0000	1.10
+++ string.c	30 Jun 2008 17:28:16 -0000	1.11
@@ -195,9 +195,20 @@
 	char		pat[BUFSIZ];
 	char		buf[BUFSIZ];
 	char		ebuf[BUFSIZ];
+	time_t		curtime = 0;
+	time_t		time_up = 0;
+	time_t		optime = 0; /* time op was initiated */
+	int		timelimit = 0; /* search timelimit */
 
 	LDAPDebug( LDAP_DEBUG_FILTER, "=> string_filter_sub\n",
 	    0, 0, 0 );
+	slapi_pblock_get( pb, SLAPI_SEARCH_TIMELIMIT, &timelimit );
+	slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
+	/*
+	 * (timelimit==-1) means no time limit
+	 */
+	time_up = ( timelimit==-1 ? -1 : optime + timelimit);
+
 	/*
 	 * construct a regular expression corresponding to the
 	 * filter and let regex do the work for each value
@@ -259,18 +270,21 @@
 	p = (bigpat) ? bigpat : pat;
 	slapd_re_lock();
 	if ( (tmpbuf = slapd_re_comp( p )) != 0 ) {
-		LDAPDebug( LDAP_DEBUG_ANY, "re_comp (%s) failed (%s)\n",
-		    pat, p, 0 );
-		slapd_re_unlock();
-		if( bigpat != NULL ) {
-			slapi_ch_free((void**)&bigpat );
-		}
-		return( LDAP_OPERATIONS_ERROR );
+		LDAPDebug( LDAP_DEBUG_ANY, "re_comp (%s) failed (%s): %s\n",
+		    pat, p, tmpbuf );
+		rc = LDAP_OPERATIONS_ERROR;
+		goto bailout;
 	} else {
  		LDAPDebug( LDAP_DEBUG_TRACE, "re_comp (%s)\n",
 				   escape_string( p, ebuf ), 0, 0 );
 	}
 
+	curtime = current_time();
+	if ( time_up != -1 && curtime > time_up ) {
+		rc = LDAP_TIMELIMIT_EXCEEDED;
+		goto bailout;
+	}
+
 	/*
 	 * test the regex against each value
 	 */
@@ -296,22 +310,22 @@
 		}
 		value_normalize( realval, syntax, 1 /* trim leading blanks */ );
 
-		tmprc = slapd_re_exec( realval );
+		tmprc = slapd_re_exec( realval, time_up );
 
 		LDAPDebug( LDAP_DEBUG_TRACE, "re_exec (%s) %i\n",
 				   escape_string( realval, ebuf ), tmprc, 0 );
-		if ( tmprc != 0 ) {
+		if ( tmprc == 1 ) {
 			rc = 0;
 			break;
+		} else if ( tmprc != 0 ) {
+			rc = tmprc;
+			break;
 		}
 	}
+bailout:
 	slapd_re_unlock();
-	if ( tmpbuf != NULL ) {
-		slapi_ch_free((void**)&tmpbuf );
-	}
-	if( bigpat != NULL ) {
-		slapi_ch_free((void**)&bigpat );
-	} 
+	slapi_ch_free((void**)&tmpbuf );	/* NULL is fine */
+	slapi_ch_free((void**)&bigpat );	/* NULL is fine */
 
 	LDAPDebug( LDAP_DEBUG_FILTER, "<= string_filter_sub %d\n",
 	    rc, 0, 0 );

More information about the Fedora-directory-commits mailing list