|
 |
93ba16 |
From 44315fd37c68c43ceb0debc3cbee79421c58a942 Mon Sep 17 00:00:00 2001
|
|
|
93ba16 |
From: tbordaz <tbordaz@redhat.com>
|
|
|
93ba16 |
Date: Thu, 15 Oct 2020 16:59:56 +0200
|
|
|
93ba16 |
Subject: [PATCH 3/5] Issue 4379 - allow more than 1 empty AttributeDescription
|
|
|
93ba16 |
for ldapsearch, without the risk of denial of service (#4380)
|
|
|
93ba16 |
|
|
|
93ba16 |
Bug description:
|
|
|
93ba16 |
The fix #3028 enforces a strict limit of empty attributeDescription.
|
|
|
93ba16 |
The limit is low (1) and some application may failing.
|
|
|
93ba16 |
We can relax this limit to a higher value without reopening DOS risk
|
|
|
93ba16 |
|
|
|
93ba16 |
Fix description:
|
|
|
93ba16 |
Change the max authorized empty attributesDescription from 1 to 10
|
|
|
93ba16 |
|
|
|
93ba16 |
relates: https://github.com/389ds/389-ds-base/issues/4379
|
|
|
93ba16 |
|
|
|
93ba16 |
Reviewed by: Mark Reynolds
|
|
|
93ba16 |
|
|
|
93ba16 |
Platforms tested: F31
|
|
|
93ba16 |
---
|
|
|
93ba16 |
ldap/servers/slapd/search.c | 2 +-
|
|
|
93ba16 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
93ba16 |
|
|
|
93ba16 |
diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
|
|
|
93ba16 |
index 2a9979552..cfbc8b0dc 100644
|
|
|
93ba16 |
--- a/ldap/servers/slapd/search.c
|
|
|
93ba16 |
+++ b/ldap/servers/slapd/search.c
|
|
|
93ba16 |
@@ -229,7 +229,7 @@ do_search(Slapi_PBlock *pb)
|
|
|
93ba16 |
|
|
|
93ba16 |
if ( attrs[i][0] == '\0') {
|
|
|
93ba16 |
empty_attrs++;
|
|
|
93ba16 |
- if (empty_attrs > 1) {
|
|
|
93ba16 |
+ if (empty_attrs > 10) {
|
|
|
93ba16 |
log_search_access(pb, base, scope, fstr, "invalid attribute request");
|
|
|
93ba16 |
send_ldap_result(pb, LDAP_PROTOCOL_ERROR, NULL, NULL, 0, NULL);
|
|
|
93ba16 |
slapi_ch_free_string(&normaci);
|
|
|
93ba16 |
--
|
|
|
93ba16 |
2.26.2
|
|
|
93ba16 |
|