r21806: I've been working over the last week to fix up the LDAP backend for

Samba4. This only broke on global catalog queries, which turned out to be due to changes in the partitions module that metze needed for his DRSUAPI work. I've reworked partitions.c to always include the 'problematic' control, and therefore demonstrated that this is the issue. This ensures consistency, and should help with finding issues like this in future. As this control (DSDB_CONTROL_CURRENT_PARTITION_OID) is not intended to be linearised, I've added logic to allow it to be skipped when creating network packets. I've likewise make our LDAP server skip unknown controls, when marked 'not critical' on it's input, rather than just dropping the entire request. I need some help to generate a correct error packet when it is marked critical. Further work could perhaps be to have the ldap_encode routine return a textual description of what failed to encode, as that would have saved me a lot of time... Andrew Bartlett (This used to be commit eef710668f91d1bbaa2d834d9e653e11c8aac817)
author: Andrew Bartlett <abartlet@samba.org> 2007-03-13 00:59:06 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 14:49:29 -0500
commit: 9b03286b32a916dbef59f1459eefa01f0ebfeed3 (patch)
tree: acc52923c4ce8e92dc902b201c12b046f8a04826 /source4/libcli/ldap/ldap.c
parent: b6b98f63009b00e3e6766eee46d1142b8772c966 (diff)
download: samba-9b03286b32a916dbef59f1459eefa01f0ebfeed3.tar.gz
samba-9b03286b32a916dbef59f1459eefa01f0ebfeed3.tar.bz2
samba-9b03286b32a916dbef59f1459eefa01f0ebfeed3.zip
1 files changed, 46 insertions, 29 deletions
diff --git a/source4/libcli/ldap/ldap.c b/source4/libcli/ldap/ldap.c
index 5a7174b41d..1e308d5847 100644
--- a/source4/libcli/ldap/ldap.c
+++ b/source4/libcli/ldap/ldap.c
@@ -925,7 +925,9 @@ static void ldap_decode_attribs(TALLOC_CTX *mem_ctx, struct asn1_data *data,
 	asn1_end_tag(data);
 }
 
-BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
+/* This routine returns LDAP status codes */
+
+NTSTATUS ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 {
 	uint8_t tag;
 
@@ -933,7 +935,7 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 	asn1_read_Integer(data, &msg->messageid);
 
 	if (!asn1_peek_uint8(data, &tag))
-		return False;
+		return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 
 	switch(tag) {
 
@@ -950,12 +952,12 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 			asn1_start_tag(data, ASN1_CONTEXT_SIMPLE(0));
 			pwlen = asn1_tag_remaining(data);
 			if (pwlen == -1) {
-				return False;
+				return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 			}
 			if (pwlen != 0) {
 				char *pw = talloc_size(msg, pwlen+1);
 				if (!pw) {
-					return False;
+					return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 				}
 				asn1_read(data, pw, pwlen);
 				pw[pwlen] = '\0';
@@ -971,7 +973,7 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 				asn1_read_OctetString(data, &tmp_blob);
 				r->creds.SASL.secblob = talloc(msg, DATA_BLOB);
 				if (!r->creds.SASL.secblob) {
-					return False;
+					return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 				}
 				*r->creds.SASL.secblob = data_blob_talloc(r->creds.SASL.secblob,
 									  tmp_blob.data, tmp_blob.length);
@@ -982,7 +984,7 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 			asn1_end_tag(data);
 		} else {
 			/* Neither Simple nor SASL bind */
-			return False;
+			return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 		}
 		asn1_end_tag(data);
 		break;
@@ -998,7 +1000,7 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 			asn1_read_ContextSimple(data, 7, &tmp_blob);
 			r->SASL.secblob = talloc(msg, DATA_BLOB);
 			if (!r->SASL.secblob) {
-				return False;
+				return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 			}
 			*r->SASL.secblob = data_blob_talloc(r->SASL.secblob,
 							    tmp_blob.data, tmp_blob.length);
@@ -1030,7 +1032,7 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 
 		r->tree = ldap_decode_filter_tree(msg, data);
 		if (r->tree == NULL) {
-			return False;
+			return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 		}
 
 		asn1_start_tag(data, ASN1_SEQUENCE(0));
@@ -1038,15 +1040,16 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 		r->num_attributes = 0;
 		r->attributes = NULL;
 
-		while (asn1_tag_remaining(data) > 0) {
+		while (asn1_tag_remaining(data) > 0) {					
+
 			const char *attr;
 			if (!asn1_read_OctetString_talloc(msg, data,
 							  &attr))
-				return False;
+				return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 			if (!add_string_to_array(msg, attr,
 						 &r->attributes,
 						 &r->num_attributes))
-				return False;
+				return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 		}
 
 		asn1_end_tag(data);
@@ -1106,7 +1109,7 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 			asn1_end_tag(data);
 			if (!add_mod_to_array_talloc(msg, &mod,
 						     &r->mods, &r->num_mods)) {
-				return False;
+				return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 			}
 		}
 
@@ -1157,7 +1160,7 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 			       ASN1_APPLICATION_SIMPLE(LDAP_TAG_DelRequest));
 		len = asn1_tag_remaining(data);
 		if (len == -1) {
-			return False;
+			return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 		}
 		dn = talloc_size(msg, len+1);
 		if (dn == NULL)
@@ -1193,11 +1196,11 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 			asn1_start_tag(data, ASN1_CONTEXT_SIMPLE(0));
 			len = asn1_tag_remaining(data);
 			if (len == -1) {
-				return False;
+				return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 			}
 			newsup = talloc_size(msg, len+1);
 			if (newsup == NULL) {
-				return False;
+				return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 			}
 			asn1_read(data, newsup, len);
 			newsup[len] = '\0';
@@ -1259,19 +1262,19 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 		msg->type = LDAP_TAG_ExtendedRequest;
 		asn1_start_tag(data,tag);
 		if (!asn1_read_ContextSimple(data, 0, &tmp_blob)) {
-			return False;
+			return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 		}
 		r->oid = blob2string_talloc(msg, tmp_blob);
 		data_blob_free(&tmp_blob);
 		if (!r->oid) {
-			return False;
+			return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 		}
 
 		if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(1))) {
 			asn1_read_ContextSimple(data, 1, &tmp_blob);
 			r->value = talloc(msg, DATA_BLOB);
 			if (!r->value) {
-				return False;
+				return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 			}
 			*r->value = data_blob_talloc(r->value, tmp_blob.data, tmp_blob.length);
 			data_blob_free(&tmp_blob);
@@ -1296,7 +1299,7 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 			r->oid = blob2string_talloc(msg, tmp_blob);
 			data_blob_free(&tmp_blob);
 			if (!r->oid) {
-				return False;
+				return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 			}
 		} else {
 			r->oid = NULL;
@@ -1306,7 +1309,7 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 			asn1_read_ContextSimple(data, 1, &tmp_blob);
 			r->value = talloc(msg, DATA_BLOB);
 			if (!r->value) {
-				return False;
+				return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 			}
 			*r->value = data_blob_talloc(r->value, tmp_blob.data, tmp_blob.length);
 			data_blob_free(&tmp_blob);
@@ -1318,34 +1321,45 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 		break;
 	}
 	default: 
-		return False;
+		return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 	}
 
 	msg->controls = NULL;
 
 	if (asn1_peek_tag(data, ASN1_CONTEXT(0))) {
-		int i;
+		int i = 0;
 		struct ldb_control **ctrl = NULL;
 
 		asn1_start_tag(data, ASN1_CONTEXT(0));
 
-		for (i=0; asn1_peek_tag(data, ASN1_SEQUENCE(0)); i++) {
+		while (asn1_peek_tag(data, ASN1_SEQUENCE(0))) {
+			DATA_BLOB value;
 			/* asn1_start_tag(data, ASN1_SEQUENCE(0)); */
 
 			ctrl = talloc_realloc(msg, ctrl, struct ldb_control *, i+2);
 			if (!ctrl) {
-				return False;
+				return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 			}
 
 			ctrl[i] = talloc(ctrl, struct ldb_control);
 			if (!ctrl[i]) {
-				return False;
+				return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 			}
 
-			if (!ldap_decode_control(ctrl, data, ctrl[i])) {
-				return False;
+			if (!ldap_decode_control_wrapper(ctrl, data, ctrl[i], &value)) {
+				return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
+			}
+			
+			if (!ldap_decode_control_value(ctrl, value, ctrl[i])) {
+				if (ctrl[i]->critical) {
+					return NT_STATUS_LDAP(LDAP_UNAVAILABLE_CRITICAL_EXTENSION);
+				} else {
+					talloc_free(ctrl[i]);
+					ctrl[i] = NULL;
+				}
+			} else {
+				i++;
 			}
-
 		}
 
 		if (ctrl != NULL) {
@@ -1358,7 +1372,10 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 	}
 
 	asn1_end_tag(data);
-	return ((!data->has_error) && (data->nesting == NULL));
+	if ((data->has_error) || (data->nesting != NULL)) {
+		return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
+	}
+	return NT_STATUS_OK;
 }
author	Andrew Bartlett <abartlet@samba.org>	2007-03-13 00:59:06 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 14:49:29 -0500
commit	9b03286b32a916dbef59f1459eefa01f0ebfeed3 (patch)
tree	acc52923c4ce8e92dc902b201c12b046f8a04826 /source4/libcli/ldap/ldap.c
parent	b6b98f63009b00e3e6766eee46d1142b8772c966 (diff)
download	samba-9b03286b32a916dbef59f1459eefa01f0ebfeed3.tar.gz samba-9b03286b32a916dbef59f1459eefa01f0ebfeed3.tar.bz2 samba-9b03286b32a916dbef59f1459eefa01f0ebfeed3.zip