From: Ondřej Kuzník <ondra@mistotebe.net>
Date: Wed, 26 Oct 2022 14:55:18 +0000 (+0100)
Subject: ITS#9045 Do not share cn=config entries with outside code
X-Git-Tag: OPENLDAP_REL_ENG_2_5_14~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce7a7997833326e3a9fb363b7fb10afe02b7d192;p=thirdparty%2Fopenldap.git

ITS#9045 Do not share cn=config entries with outside code

config_back_entry_get currently returns the entry directly without
securing the rwlock, which is unsafe. However we can't keep holding it
on return in case the caller decides to hold onto the entry
indefinitely, hence rlock+entry_dup+runlock.
---

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index c5c69bab56..4e00802723 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -6941,7 +6941,6 @@ out:
 	return rs->sr_err;
 }
 
-/* no-op, we never free entries */
 int config_entry_release(
 	Operation *op,
 	Entry *e,
@@ -6961,6 +6960,8 @@ int config_entry_release(
 		} else {
 			entry_free( e );
 		}
+	} else {
+		entry_free( e );
 	}
 	return rc;
 }
@@ -6977,21 +6978,31 @@ int config_back_entry_get(
 {
 	CfBackInfo *cfb;
 	CfEntryInfo *ce, *last;
-	int rc = LDAP_NO_SUCH_OBJECT;
+	Entry *e = NULL;
+	int locked = 0, rc = LDAP_NO_SUCH_OBJECT;
 
 	cfb = (CfBackInfo *)op->o_bd->be_private;
 
+	if ( !ldap_pvt_thread_pool_pausequery( &connection_pool ) ) {
+		ldap_pvt_thread_rdwr_rlock( &cfb->cb_rwlock );
+		locked = 1;
+	}
 	ce = config_find_base( cfb->cb_root, ndn, &last );
 	if ( ce ) {
-		*ent = ce->ce_entry;
-		if ( *ent ) {
+		e = ce->ce_entry;
+		if ( e ) {
 			rc = LDAP_SUCCESS;
-			if ( oc && !is_entry_objectclass_or_sub( *ent, oc ) ) {
+			if ( oc && !is_entry_objectclass_or_sub( e, oc ) ) {
 				rc = LDAP_NO_SUCH_ATTRIBUTE;
-				*ent = NULL;
+				e = NULL;
 			}
 		}
 	}
+	if ( e ) {
+		*ent = entry_dup( e );
+	}
+	if ( locked )
+		ldap_pvt_thread_rdwr_runlock( &cfb->cb_rwlock );
 
 	return rc;
 }