Hello,
this patch fixes bug introduced by CVE-2012-2134 fix (commit
cd33194c5a61e98cba53212458cce02b849077ba).
From cd33194c5a61e98cba53212458cce02b849077ba up to now each query for
nonexistent DNS name results to two (exactly same) LDAP queries.
Petr^2 Spacek
From 965a2f9443fcec2b4e32acf726aaa5a6de5b91c3 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Wed, 11 Jul 2012 12:10:16 +0200
Subject: [PATCH] Prevent doubled LDAP queries during nonexistent DNS name
lookups. This problem was introduced in commit
cd33194c5a61e98cba53212458cce02b849077ba (CVE-2012-2134
fix).
Signed-off-by: Petr Spacek <pspa...@redhat.com>
---
src/ldap_helper.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 7f0a6f4b37171a6fa4db79cd32fdd8bc62288e0f..b06036f89fdf088e2d3c3ef964165d23c2d20172 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -1618,6 +1618,7 @@ ldap_query(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn,
isc_result_t result;
int cnt;
int ret;
+ int ldap_err_code;
int once = 0;
REQUIRE(ldap_conn != NULL);
@@ -1661,8 +1662,12 @@ retry:
return ISC_R_SUCCESS;
}
+ ret = ldap_get_option(ldap_conn->handle, LDAP_OPT_RESULT_CODE,
+ (void *)&ldap_err_code);
+ if (ret == LDAP_OPT_SUCCESS && ldap_err_code == LDAP_NO_SUCH_OBJECT)
+ return ISC_R_NOTFOUND;
/* some error happened during ldap_search, try to recover */
- if (!once) {
+ else if (!once) {
once++;
result = handle_connection_error(ldap_inst, ldap_conn,
ISC_FALSE);
--
1.7.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
