Skip to content

Commit

Permalink
IPA: Check RDN in ipa_add_ad_memberships_get_next
Browse files Browse the repository at this point in the history 
LDB functions ldb_dn_get_component_val and ldb_dn_get_rdn_val
validate dn before returning component value.
It should be valid DN according to RFC4514.

IPA/389ds might return problematic DN due to replication conflicts.
e.g. "cn=System: Read Service Delegations+nsuniqueid=b0736336-d06e11e5-8e8acabe-ce8d458d,cn=permissions,dc=example,dc=com"

It's better to check return value of these LDb function rather than
crash because of dereference of NULL pointer.

Resolves:
https://fedorahosted.org/sssd/ticket/2980

Reviewed-by: Sumit Bose <sbose@redhat.com>
  • Loading branch information
Lukas Slebodnik committed Apr 12, 2016
1 parent bdd5331 commit 22eead9
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion src/providers/ipa/ipa_subdomains_ext_groups.c
View file
Expand Up @@ -862,7 +862,13 @@ static void ipa_add_ad_memberships_get_next(struct tevent_req *req)
goto fail;
}

val = ldb_dn_get_component_val(group_dn, 0);
val = ldb_dn_get_rdn_val(group_dn);
if (val == NULL || val->data == NULL) {
DEBUG(SSSDBG_OP_FAILURE,
"Invalid group DN [%s].\n", state->groups[state->iter]);
ret = EINVAL;
goto fail;
}

/* TODO: here is would be useful for have a filter type like BE_FILTER_DN to
* directly fetch the group with the corresponding DN. */
Expand Down

0 comments on commit 22eead9

Please sign in to comment.