Blob Blame Raw
From 1013a1bfe0882d213f48e900ab89e00651188489 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 9 Aug 2018 15:27:59 -0400
Subject: [PATCH] Ticket 49890 : ldapsearch with server side sort crashes the 
 ldap server

Bug Description:
        Server side sort with a specified matching rule trigger a crash

Fix Description:
        Check if the we are able to index the provided value.
        If we are not then slapd_qsort returns an error (LDAP_OPERATION_ERROR)

https://pagure.io/389-ds-base/issue/49890

Reviewed by: mreynolds

Platforms tested: F27

Flag Day: no

Doc impact: no

(cherry picked from commit c989e18f7a3da060b16d39919b920b6b2a19a0ac)
---
 dirsrvtests/tests/suites/syntax/mr_test.py | 59 ++++++++++++++++++++++
 ldap/servers/slapd/back-ldbm/sort.c        | 14 +++++
 2 files changed, 73 insertions(+)
 create mode 100644 dirsrvtests/tests/suites/syntax/mr_test.py

diff --git a/dirsrvtests/tests/suites/syntax/mr_test.py b/dirsrvtests/tests/suites/syntax/mr_test.py
new file mode 100644
index 000000000..57061222a
--- /dev/null
+++ b/dirsrvtests/tests/suites/syntax/mr_test.py
@@ -0,0 +1,59 @@
+import logging
+import pytest
+import os
+import ldap
+from lib389.dbgen import dbgen
+from lib389._constants import *
+from lib389.topologies import topology_st as topo
+from lib389._controls import SSSRequestControl
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+    logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+    logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+
+def test_sss_mr(topo):
+    """Test matching rule/server side sort does not crash DS
+
+    :id: 48c73d76-1694-420f-ab55-187135f2d260
+    :setup: Standalone Instance
+    :steps:
+        1. Add sample entries to the database
+        2. Perform search using server side control (uid:2.5.13.3)
+    :expectedresults:
+        1. Success
+        2. Success
+    """
+
+    log.info("Creating LDIF...")
+    ldif_dir = topo.standalone.get_ldif_dir()
+    ldif_file = os.path.join(ldif_dir, 'mr-crash.ldif')
+    dbgen(topo.standalone, 5, ldif_file, DEFAULT_SUFFIX)
+
+    log.info("Importing LDIF...")
+    topo.standalone.stop()
+    assert topo.standalone.ldif2db(DEFAULT_BENAME, None, None, None, ldif_file)
+    topo.standalone.start()
+
+    log.info('Search using server side sorting using undefined mr in the attr...')
+    sort_ctrl = SSSRequestControl(True, ['uid:2.5.13.3'])
+    controls = [sort_ctrl]
+    msg_id = topo.standalone.search_ext(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
+                                        "objectclass=*", serverctrls=controls)
+    try:
+        rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(msg_id)
+    except ldap.OPERATIONS_ERROR:
+        pass
+
+    log.info("Test PASSED")
+
+
+if __name__ == '__main__':
+    # Run isolated
+    # -s for DEBUG mode
+    CURRENT_FILE = os.path.realpath(__file__)
+    pytest.main(["-s", CURRENT_FILE])
+
diff --git a/ldap/servers/slapd/back-ldbm/sort.c b/ldap/servers/slapd/back-ldbm/sort.c
index 5b84d87f3..70ac60803 100644
--- a/ldap/servers/slapd/back-ldbm/sort.c
+++ b/ldap/servers/slapd/back-ldbm/sort.c
@@ -546,6 +546,16 @@ compare_entries_sv(ID *id_a, ID *id_b, sort_spec *s, baggage_carrier *bc, int *e
             /* Now copy it, so the second call doesn't crap on it */
             value_a = slapi_ch_bvecdup(temp_value); /* Really, we'd prefer to not call the chXXX variant...*/
             matchrule_values_to_keys(this_one->mr_pb, actual_value_b, &value_b);
+
+            if ((actual_value_a && !value_a) ||
+                (actual_value_b && !value_b)) {
+                ber_bvecfree(actual_value_a);
+                ber_bvecfree(actual_value_b);
+                CACHE_RETURN(&inst->inst_cache, &a);
+                CACHE_RETURN(&inst->inst_cache, &b);
+                *error = 1;
+                return 0;
+            }
             if (actual_value_a)
                 ber_bvecfree(actual_value_a);
             if (actual_value_b)
@@ -717,6 +727,8 @@ recurse:
                A[i] >= A[lo] for higuy <= i <= hi */
 
             do {
+                if (error)
+                    return LDAP_OPERATIONS_ERROR;
                 loguy++;
             } while (loguy <= hi && compare_entries_sv(loguy, lo, s, bc, &error) <= 0);
 
@@ -724,6 +736,8 @@ recurse:
                either loguy > hi or A[loguy] > A[lo] */
 
             do {
+                if (error)
+                    return LDAP_OPERATIONS_ERROR;
                 higuy--;
             } while (higuy > lo && compare_entries_sv(higuy, lo, s, bc, &error) >= 0);
 
-- 
2.17.1