[src/netbsd-7]: src/external/bsd/openldap/dist/servers/slapd Pull up followin...

[snj <snj%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/2b6483368995
branches:  netbsd-7
changeset: 799195:2b6483368995
user:      snj <snj%NetBSD.org@localhost>
date:      Tue Apr 14 05:00:15 2015 +0000

description:
Pull up following revision(s) (requested by christos in ticket #680):
        external/bsd/openldap/dist/servers/slapd/filter.c: revision 1.2
        external/bsd/openldap/dist/servers/slapd/overlays/deref.c: revision 1.2
Apply: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=c32e74763f77675b9e144126e375977ed6dc562c
The deref overlay in slapd 2.4.13 through 2.4.40 dereferences a NULL
pointer when a search request includes the Deref control with an empty
list of attributes to return (missing input validation). [CVE-2015-1545]
--
Apply: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a
Certain search queries including the Matched Values control can trigger
a double free in slapd 2.4.40 when freeing operation controls. This is a
regression in 2.4.40, no earlier releases are affected. [CVE-1546]

diffstat:

 external/bsd/openldap/dist/servers/slapd/filter.c         |  12 ++++--------
 external/bsd/openldap/dist/servers/slapd/overlays/deref.c |   5 +++--
 2 files changed, 7 insertions(+), 10 deletions(-)

diffs (46 lines):

diff -r c3edcc1d99f3 -r 2b6483368995 external/bsd/openldap/dist/servers/slapd/filter.c
--- a/external/bsd/openldap/dist/servers/slapd/filter.c Tue Apr 14 04:44:41 2015 +0000
+++ b/external/bsd/openldap/dist/servers/slapd/filter.c Tue Apr 14 05:00:15 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: filter.c,v 1.1.1.4 2014/05/28 09:58:46 tron Exp $      */
+/*     $NetBSD: filter.c,v 1.1.1.4.2.1 2015/04/14 05:00:15 snj Exp $   */
 
 /* filter.c - routines for parsing and dealing with filters */
 /* $OpenLDAP$ */
@@ -1160,14 +1160,10 @@
 void
 vrFilter_free( Operation *op, ValuesReturnFilter *vrf )
 {
-       ValuesReturnFilter      *p, *next;
+       ValuesReturnFilter      *next;
 
-       if ( vrf == NULL ) {
-               return;
-       }
-
-       for ( p = vrf; p != NULL; p = next ) {
-               next = p->vrf_next;
+       for ( p = vrf; vrf != NULL; vrf = next ) {
+               next = vrf->vrf_next;
 
                switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) {
                case LDAP_FILTER_PRESENT:
diff -r c3edcc1d99f3 -r 2b6483368995 external/bsd/openldap/dist/servers/slapd/overlays/deref.c
--- a/external/bsd/openldap/dist/servers/slapd/overlays/deref.c Tue Apr 14 04:44:41 2015 +0000
+++ b/external/bsd/openldap/dist/servers/slapd/overlays/deref.c Tue Apr 14 05:00:15 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: deref.c,v 1.1.1.3 2014/05/28 09:58:52 tron Exp $       */
+/*     $NetBSD: deref.c,v 1.1.1.3.2.1 2015/04/14 05:00:15 snj Exp $    */
 
 /* deref.c - dereference overlay */
 /* $OpenLDAP$ */
@@ -185,7 +185,8 @@
                ber_len_t cnt = sizeof(struct berval);
                ber_len_t off = 0;
 
-               if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR )
+               if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR
+                       || !cnt )
                {
                        rs->sr_text = "Dereference control: derefSpec decoding error";
                        rs->sr_err = LDAP_PROTOCOL_ERROR;