From d695afb6a637432e880296d8552f466981c0796c Mon Sep 17 00:00:00 2001 From: "Thierry bordaz (tbordaz)" Date: Thu, 16 May 2013 15:28:47 +0200 Subject: [PATCH 72/78] Ticket 571 (dup 47361) - Empty control list causes LDAP protocol error is thrown Bug Description: If a request contains a list of controls containing zero control, it does not conform RFC http://tools.ietf.org/html/rfc4511#section-4.1.11. Then the server returns a Protocol Error. This is too restrictive for some applications. Note: such application needs to be linked with old version of mozldap or openldap because recent version skip sending empty list of controls Fix Description: The fix is to ignore this error and let the operation complete Note: ticket 571 (bz 918717) is a duplicate of 47361 (bz 963234). 47361 was used to backport in 1.2.11. 571 is used to backport in 1.3.1. This bug is fixed since 1.3.2 https://fedorahosted.org/389/ticket/571 https://fedorahosted.org/389/ticket/47361 Reviewed by: Rich Megginson (thanks Rich !) Platforms tested: F17 (unit + acceptance vlv/proxy/managed/psearch/tls/bindcontrol) Flag Day: no Doc impact: no (cherry picked from commit dea2a254117f1e9f4be1068c6784b2780fec933f) --- ldap/servers/slapd/control.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c index fc3ab9f..e614d50 100644 --- a/ldap/servers/slapd/control.c +++ b/ldap/servers/slapd/control.c @@ -354,17 +354,27 @@ get_ldapmessage_controls_ext( len = -1; /* reset for next loop iter */ } - if ( (tag != LBER_END_OF_SEQORSET) && (len != -1) ) { - goto free_and_return; - } - - slapi_pblock_set( pb, SLAPI_REQCONTROLS, ctrls ); - managedsait = slapi_control_present( ctrls, - LDAP_CONTROL_MANAGEDSAIT, NULL, NULL ); - slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, &managedsait ); - pwpolicy_ctrl = slapi_control_present( ctrls, - LDAP_X_CONTROL_PWPOLICY_REQUEST, NULL, NULL ); - slapi_pblock_set( pb, SLAPI_PWPOLICY, &pwpolicy_ctrl ); + if (curcontrols == 0) { + int ctrl_not_found = 0; /* means that a given control is not present in the request */ + + slapi_pblock_set(pb, SLAPI_REQCONTROLS, NULL); + slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &ctrl_not_found); + slapi_pblock_set(pb, SLAPI_PWPOLICY, &ctrl_not_found); + slapi_log_error(SLAPI_LOG_CONNS, "connection", "Warning: conn=%d op=%d contains an empty list of controls\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid); + } else { + if ((tag != LBER_END_OF_SEQORSET) && (len != -1)) { + goto free_and_return; + } + + slapi_pblock_set(pb, SLAPI_REQCONTROLS, ctrls); + managedsait = slapi_control_present(ctrls, + LDAP_CONTROL_MANAGEDSAIT, NULL, NULL); + slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &managedsait); + pwpolicy_ctrl = slapi_control_present(ctrls, + LDAP_X_CONTROL_PWPOLICY_REQUEST, NULL, NULL); + slapi_pblock_set(pb, SLAPI_PWPOLICY, &pwpolicy_ctrl); + } if ( controlsp != NULL ) { *controlsp = ctrls; -- 1.8.1.4