From f1ebb456954a825c31d61922a30c3b99a1ae66a3 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Mon, 22 Mar 2021 17:31:13 +0000 Subject: [PATCH] ITS#9251 make max filter depth configurable --- doc/man/man5/slapd-config.5 | 4 ++++ doc/man/man5/slapd.conf.5 | 4 ++++ servers/slapd/bconfig.c | 5 +++++ servers/slapd/config.c | 2 ++ servers/slapd/filter.c | 6 +----- servers/slapd/proto-slap.h | 1 + servers/slapd/slap.h | 1 + 7 files changed, 18 insertions(+), 5 deletions(-) diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index 9e8b0c2523..754fb348b7 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -689,6 +689,10 @@ This level should usually also be included when using other loglevels, to help analyze the logs. .RE .TP +.B olcMaxFilterDepth: +Specify the maximum depth of nested filters in search requests. +The default is 1000. +.TP .B olcPasswordCryptSaltFormat: Specify the format of the salt passed to .BR crypt (3) diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index bb94503622..e8c536e806 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -743,6 +743,10 @@ This level should usually also be included when using other loglevels, to help analyze the logs. .RE .TP +.B maxfilterdepth +Specify the maximum depth of nested filters in search requests. +The default is 1000. +.TP .B moduleload Specify the name of a dynamically loadable module to load. The filename may be an absolute path name or a simple filename. Non-absolute names diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index a54729aa81..249ea32ec5 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -480,6 +480,10 @@ static ConfigTable config_back_cf_table[] = { &config_generic, "( OLcfgDbAt:0.6 NAME 'olcMaxDerefDepth' " "EQUALITY integerMatch " "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, + { "maxFilterDepth", "depth", 2, 2, 0, ARG_INT, + &slap_max_filter_depth, "( OLcfgGlAt:101 NAME 'olcMaxFilterDepth' " + "EQUALITY integerMatch " + "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, { "multiprovider", "on|off", 2, 2, 0, ARG_DB|ARG_ON_OFF|ARG_MAGIC|CFG_MULTIPROVIDER, &config_generic, "( OLcfgDbAt:0.16 NAME ( 'olcMultiProvider' 'olcMirrorMode' ) " "EQUALITY booleanMatch " @@ -952,6 +956,7 @@ static ConfigOCs cf_ocs[] = { "olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexHash64 $ " "olcIndexIntLen $ " "olcListenerThreads $ olcLocalSSF $ olcLogFile $ olcLogLevel $ " + "olcMaxFilterDepth $ " "olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ " "olcPluginLogFile $ olcReadOnly $ olcReferral $ " "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ " diff --git a/servers/slapd/config.c b/servers/slapd/config.c index f081de89de..74b51fb479 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -84,6 +84,8 @@ ber_len_t sockbuf_max_incoming_auth= SLAP_SB_MAX_INCOMING_AUTH; int slap_conn_max_pending = SLAP_CONN_MAX_PENDING_DEFAULT; int slap_conn_max_pending_auth = SLAP_CONN_MAX_PENDING_AUTH; +int slap_max_filter_depth = SLAP_MAX_FILTER_DEPTH_DEFAULT; + char *slapd_pid_file = NULL; char *slapd_args_file = NULL; diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c index d338704652..c562c1d0e7 100644 --- a/servers/slapd/filter.c +++ b/servers/slapd/filter.c @@ -37,10 +37,6 @@ const Filter *slap_filter_objectClass_pres; const struct berval *slap_filterstr_objectClass_pres; -#ifndef SLAPD_MAX_FILTER_DEPTH -#define SLAPD_MAX_FILTER_DEPTH 5000 -#endif - static int get_filter_list( Operation *op, BerElement *ber, @@ -132,7 +128,7 @@ get_filter0( * */ - if( depth > SLAPD_MAX_FILTER_DEPTH ) { + if( depth > slap_max_filter_depth ) { *text = "filter nested too deeply"; return SLAPD_DISCONNECT; } diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 1316f23b9d..5fac0663ef 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -2067,6 +2067,7 @@ LDAP_SLAPD_V (ber_len_t) sockbuf_max_incoming; LDAP_SLAPD_V (ber_len_t) sockbuf_max_incoming_auth; LDAP_SLAPD_V (int) slap_conn_max_pending; LDAP_SLAPD_V (int) slap_conn_max_pending_auth; +LDAP_SLAPD_V (int) slap_max_filter_depth; LDAP_SLAPD_V (slap_mask_t) global_allows; LDAP_SLAPD_V (slap_mask_t) global_disallows; diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index ee0a7cd61f..a5fe408dc6 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -143,6 +143,7 @@ LDAP_BEGIN_DECL #define SLAP_CONN_MAX_PENDING_DEFAULT 100 #define SLAP_CONN_MAX_PENDING_AUTH 1000 +#define SLAP_MAX_FILTER_DEPTH_DEFAULT 1000 #define SLAP_TEXT_BUFLEN (256) -- 2.47.3