On Wed, Jul 11, 2012 at 03:54:07PM +0200, Petr Spacek wrote: > Hello, > > this patch fixes bug introduced by CVE-2012-2134 fix (commit > cd33194c5a61e98cba53212458cce02b849077ba). > > From cd33194c5a61e98cba53212458cce02b849077ba up to now each query > for nonexistent DNS name results to two (exactly same) LDAP queries.
Ack, please push it to master. Regards, Adam > From 965a2f9443fcec2b4e32acf726aaa5a6de5b91c3 Mon Sep 17 00:00:00 2001 > From: Petr Spacek <pspa...@redhat.com> > Date: Wed, 11 Jul 2012 12:10:16 +0200 > Subject: [PATCH] Prevent doubled LDAP queries during nonexistent DNS name > lookups. This problem was introduced in commit > cd33194c5a61e98cba53212458cce02b849077ba (CVE-2012-2134 > fix). > > Signed-off-by: Petr Spacek <pspa...@redhat.com> > --- > src/ldap_helper.c | 7 ++++++- > 1 files changed, 6 insertions(+), 1 deletions(-) > > diff --git a/src/ldap_helper.c b/src/ldap_helper.c > index > 7f0a6f4b37171a6fa4db79cd32fdd8bc62288e0f..b06036f89fdf088e2d3c3ef964165d23c2d20172 > 100644 > --- a/src/ldap_helper.c > +++ b/src/ldap_helper.c > @@ -1618,6 +1618,7 @@ ldap_query(ldap_instance_t *ldap_inst, > ldap_connection_t *ldap_conn, > isc_result_t result; > int cnt; > int ret; > + int ldap_err_code; > int once = 0; > > REQUIRE(ldap_conn != NULL); > @@ -1661,8 +1662,12 @@ retry: > return ISC_R_SUCCESS; > } > > + ret = ldap_get_option(ldap_conn->handle, LDAP_OPT_RESULT_CODE, > + (void *)&ldap_err_code); > + if (ret == LDAP_OPT_SUCCESS && ldap_err_code == LDAP_NO_SUCH_OBJECT) > + return ISC_R_NOTFOUND; > /* some error happened during ldap_search, try to recover */ > - if (!once) { > + else if (!once) { > once++; > result = handle_connection_error(ldap_inst, ldap_conn, > ISC_FALSE); > -- > 1.7.7.6 > -- Adam Tkac, Red Hat, Inc. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel