From 3d94d11c75d794e7e741e909b82d65cca1d4949b Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Mon, 4 Dec 2023 14:30:50 +0000
Subject: [PATCH] ITS#7441 Consider both parts of an X-ORDERED value

---
 servers/slapd/bconfig.c | 38 +++++++++++++++++++++++++++++++++++++-
 servers/slapd/value.c   | 20 +++++++++-----------
 2 files changed, 46 insertions(+), 12 deletions(-)

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index a5ff9c127e..6bfd4118c8 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -7067,6 +7067,42 @@ out:
 	return rs->sr_err;
 }
 
+static int
+config_back_compare( Operation *op, SlapReply *rs )
+{
+	CfBackInfo *cfb;
+	CfEntryInfo *ce, *last;
+	slap_mask_t mask;
+
+	cfb = (CfBackInfo *)op->o_bd->be_private;
+
+	ldap_pvt_thread_rdwr_rlock( &cfb->cb_rwlock );
+	ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last, op );
+	if ( !ce ) {
+		if ( last )
+			rs->sr_matched = last->ce_entry->e_name.bv_val;
+		rs->sr_err = LDAP_NO_SUCH_OBJECT;
+		goto out;
+	}
+	if ( !access_allowed_mask( op, ce->ce_entry, slap_schema.si_ad_entry, NULL,
+		ACL_COMPARE, NULL, &mask ))
+	{
+		if ( !ACL_GRANT( mask, ACL_DISCLOSE )) {
+			rs->sr_err = LDAP_NO_SUCH_OBJECT;
+		} else {
+			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+		}
+		goto out;
+	}
+
+	rs->sr_err = slap_compare_entry( op, ce->ce_entry, op->orc_ava );
+
+out:
+	ldap_pvt_thread_rdwr_runlock( &cfb->cb_rwlock );
+	send_ldap_result( op, rs );
+	return rs->sr_err;
+}
+
 int config_entry_release(
 	Operation *op,
 	Entry *e,
@@ -8221,7 +8257,7 @@ config_back_initialize( BackendInfo *bi )
 	bi->bi_op_bind = config_back_bind;
 	bi->bi_op_unbind = 0;
 	bi->bi_op_search = config_back_search;
-	bi->bi_op_compare = 0;
+	bi->bi_op_compare = config_back_compare;
 	bi->bi_op_modify = config_back_modify;
 	bi->bi_op_modrdn = config_back_modrdn;
 	bi->bi_op_add = config_back_add;
diff --git a/servers/slapd/value.c b/servers/slapd/value.c
index 00e6bed665..5aa5061b84 100644
--- a/servers/slapd/value.c
+++ b/servers/slapd/value.c
@@ -669,17 +669,15 @@ ordered_value_match(
 			}
 		}
 
-		if ( SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX( flags )) {
-			if ( !BER_BVISNULL( &ns2 ) && !BER_BVISNULL( &ns1 ) ) {
-				/* compare index values first */
-				(void)octetStringOrderingMatch( match, 0, NULL, NULL, &ns1, &ns2 );
-
-				/* If not equal, or we're only comparing the index,
-				 * return result now.
-				 */
-				if ( *match != 0 || BER_BVISEMPTY( &bv2 ) ) {
-					return LDAP_SUCCESS;
-				}
+		if ( !BER_BVISNULL( &ns2 ) && !BER_BVISNULL( &ns1 ) ) {
+			/* compare index values first */
+			(void)octetStringOrderingMatch( match, 0, NULL, NULL, &ns1, &ns2 );
+
+			/* If not equal, or we're only comparing the index,
+			 * return result now.
+			 */
+			if ( *match != 0 || BER_BVISEMPTY( &bv2 ) ) {
+				return LDAP_SUCCESS;
 			}
 		}
 
-- 
2.47.3