ITS#1530: fix ACLs on empty replace bug

diff --git a/CHANGES b/CHANGES
index e77bd1edd117deff833b20d8aac95a51f436a26a..3aeda17a65cfe92d1fa009d9fe5d9f2b49d376af 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,7 @@
 OpenLDAP 2.0 Change Log
 
 OpenLDAP 2.0.20 Engineering
+       Fixed slapd ACL empty replace bug (ITS#1530)
        Fixed slapd ACL peername/sockname exact match bug (ITS#1516)
        Fixed back-passwd db_config bug
        Fixed -lldap cache debug bug (ITS#1501)

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 43cdfbd1d996b93dd93d86382b54d6f70d18f570..c813eda544c705a7a245983127f9febb49fa1738 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -899,10 +899,20 @@ acl_check_modlist(
 
                switch ( mlist->sml_op ) {
                case LDAP_MOD_REPLACE:
-               case LDAP_MOD_ADD:
                        if ( mlist->sml_bvalues == NULL ) {
+                               if ( ! access_allowed( be, conn, op, e,
+                                       mlist->sml_desc, NULL, ACL_WRITE ) )
+                               {
+                                       return( 0 );
+                               }
                                break;
                        }
+
+                       /* fall thru */
+
+               case LDAP_MOD_ADD:
+                       assert( mlist->sml_bvalues != NULL );
+
                        for ( i = 0; mlist->sml_bvalues[i] != NULL; i++ ) {
                                if ( ! access_allowed( be, conn, op, e,
                                        mlist->sml_desc, mlist->sml_bvalues[i], ACL_WRITE ) )
@@ -929,6 +939,10 @@ acl_check_modlist(
                                }
                        }
                        break;
+
+               default:
+                       assert( 0 );
+                       return( 0 );
                }
        }