Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13745/ldap/servers/slapd
Modified Files:
libglobs.c proto-slap.h sasl_io.c slap.h
Log Message:
Resolves: 387851
Summary: Add configuration parameter to limit maximum allowed incoming SASL IO packet
size.
Index: libglobs.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- libglobs.c 13 Nov 2008 21:56:29 -0000 1.30
+++ libglobs.c 25 Nov 2008 19:20:26 -0000 1.31
@@ -525,6 +525,9 @@
{CONFIG_MAXBERSIZE_ATTRIBUTE, config_set_maxbersize,
NULL, 0,
(void**)&global_slapdFrontendConfig.maxbersize, CONFIG_INT, NULL},
+ {CONFIG_MAXSASLIOSIZE_ATTRIBUTE, config_set_maxsasliosize,
+ NULL, 0,
+ (void**)&global_slapdFrontendConfig.maxsasliosize, CONFIG_INT, NULL},
{CONFIG_VERSIONSTRING_ATTRIBUTE, config_set_versionstring,
NULL, 0,
(void**)&global_slapdFrontendConfig.versionstring, CONFIG_STRING, NULL},
@@ -4488,6 +4491,42 @@
}
int
+config_set_maxsasliosize( const char *attrname, char *value, char *errorbuf, int apply )
+{
+ int retVal = LDAP_SUCCESS;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
+ return LDAP_OPERATIONS_ERROR;
+ }
+
+ if ( !apply ) {
+ return retVal;
+ }
+
+ CFG_LOCK_WRITE(slapdFrontendConfig);
+
+ slapdFrontendConfig->maxsasliosize = atol(value);
+
+ CFG_UNLOCK_WRITE(slapdFrontendConfig);
+ return retVal;
+}
+
+size_t
+config_get_maxsasliosize()
+{
+ size_t maxsasliosize;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ maxsasliosize = slapdFrontendConfig->maxsasliosize;
+ if (maxsasliosize == 0) {
+ maxsasliosize = 2 * 1024 * 1024; /* Default: 2Mb */
+ }
+
+ return maxsasliosize;
+}
+
+int
config_set_max_filter_nest_level( const char *attrname, char *value,
char *errorbuf, int apply )
{
Index: proto-slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/proto-slap.h,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- proto-slap.h 7 Nov 2008 22:32:57 -0000 1.42
+++ proto-slap.h 25 Nov 2008 19:20:27 -0000 1.43
@@ -320,6 +320,7 @@
int config_set_referral_mode(const char *attrname, char *url, char *errorbuf, int
apply);
int config_set_conntablesize(const char *attrname, char *url, char *errorbuf, int
apply);
int config_set_maxbersize(const char *attrname, char *value, char *errorbuf, int apply
);
+int config_set_maxsasliosize(const char *attrname, char *value, char *errorbuf, int
apply );
int config_set_versionstring(const char *attrname, char *versionstring, char *errorbuf,
int apply );
int config_set_enquote_sup_oc(const char *attrname, char *value, char *errorbuf, int
apply );
int config_set_basedn( const char *attrname, char *value, char *errorbuf, int apply );
@@ -442,6 +443,7 @@
int config_get_conntablesize(void);
int config_check_referral_mode(void);
ber_len_t config_get_maxbersize();
+size_t config_get_maxsasliosize();
char *config_get_versionstring();
char *config_get_buildnum(void);
int config_get_enquote_sup_oc();
Index: sasl_io.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/sasl_io.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- sasl_io.c 17 Oct 2008 22:12:47 -0000 1.15
+++ sasl_io.c 25 Nov 2008 19:20:27 -0000 1.16
@@ -215,6 +215,15 @@
LDAPDebug( LDAP_DEBUG_CONNS,
"read sasl packet length %ld on connection %" PRIu64
"\n", packet_length, c->c_connid, 0 );
+
+ if (packet_length > config_get_maxsasliosize()) {
+ LDAPDebug( LDAP_DEBUG_ANY,
+ "SASL encrypted packet length exceeds maximum allowed limit
(length=%ld, limit=%ld)."
+ " Change the nsslapd-maxsasliosize attribute in cn=config to
increase limit.\n",
+ packet_length, config_get_maxsasliosize(), 0);
+ return -1;
+ }
+
sasl_io_resize_encrypted_buffer(c->c_sasl_io_private, packet_length);
/* Cyrus SASL implementation expects to have the length at the first
4 bytes */
Index: slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- slap.h 7 Nov 2008 22:32:57 -0000 1.39
+++ slap.h 25 Nov 2008 19:20:27 -0000 1.40
@@ -1764,6 +1764,7 @@
#define CONFIG_REFERRAL_MODE_ATTRIBUTE "nsslapd-referralmode"
#define CONFIG_ATTRIBUTE_NAME_EXCEPTION_ATTRIBUTE
"nsslapd-attribute-name-exceptions"
#define CONFIG_MAXBERSIZE_ATTRIBUTE "nsslapd-maxbersize"
+#define CONFIG_MAXSASLIOSIZE_ATTRIBUTE "nsslapd-maxsasliosize"
#define CONFIG_MAX_FILTER_NEST_LEVEL_ATTRIBUTE "nsslapd-max-filter-nest-level"
#define CONFIG_VERSIONSTRING_ATTRIBUTE "nsslapd-versionstring"
#define CONFIG_ENQUOTE_SUP_OC_ATTRIBUTE "nsslapd-enquote-sup-oc"
@@ -1981,8 +1982,9 @@
char *ldapi_gidnumber_type; /* type that contains gid number */
char *ldapi_search_base_dn; /* base dn to search for mapped entries */
char *ldapi_auto_dn_suffix; /* suffix to be appended to auto gen DNs */
- int slapi_counters; /* switch to turn slapi_counters on/off */
- int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */
+ int slapi_counters; /* switch to turn slapi_counters on/off */
+ int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */
+ size_t maxsasliosize; /* limit incoming SASL IO packet size */
#ifndef _WIN32
struct passwd *localuserinfo; /* userinfo of localuser */
#endif /* _WIN32 */