The LDAP context was not checked on the first api call and a context may
be null on some error conditions (LDAP server unreachable).

Always check that we have a valid context before calling the ldap API.

Builds abut it is untested.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From 934568405c8868016dad0dbdcae91e5eada29c8a Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Tue, 5 Jan 2016 16:04:49 -0500
Subject: [PATCH] Always verify we have a valid ldap context.

LDAP calls just assert if an invalid (NULL) context is passed in,
so we need to be sure we have a valid connection context before
calling into LDAP APIs and fail outright if a context can't be obtained.

Signed-off-by: Simo Sorce <s...@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_common.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index 112086b57c9f83895589538b5494ae81fb14a948..7438f35049ba4e88c401f85a1703323c38c063cc 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -158,6 +158,14 @@ static bool ipadb_need_retry(struct ipadb_context *ipactx, int error)
     return false;
 }
 
+static int ipadb_check_connection(struct ipadb_context *ipactx)
+{
+    if (ipactx->lcontext == NULL) {
+        return ipadb_get_connection(ipactx);
+    }
+    return 0;
+}
+
 krb5_error_code ipadb_simple_search(struct ipadb_context *ipactx,
                                     char *basedn, int scope,
                                     char *filter, char **attrs,
@@ -165,6 +173,10 @@ krb5_error_code ipadb_simple_search(struct ipadb_context *ipactx,
 {
     int ret;
 
+    ret = ipadb_check_connection(ipactx);
+    if (ret != 0)
+        return ipadb_simple_ldap_to_kerr(ret);
+
     ret = ldap_search_ext_s(ipactx->lcontext, basedn, scope,
                             filter, attrs, 0, NULL, NULL,
                             &std_timeout, LDAP_NO_LIMIT,
@@ -187,6 +199,10 @@ krb5_error_code ipadb_simple_delete(struct ipadb_context *ipactx, char *dn)
 {
     int ret;
 
+    ret = ipadb_check_connection(ipactx);
+    if (ret != 0)
+        return ipadb_simple_ldap_to_kerr(ret);
+
     ret = ldap_delete_ext_s(ipactx->lcontext, dn, NULL, NULL);
 
     /* first test if we need to retry to connect */
@@ -204,6 +220,10 @@ krb5_error_code ipadb_simple_add(struct ipadb_context *ipactx,
 {
     int ret;
 
+    ret = ipadb_check_connection(ipactx);
+    if (ret != 0)
+        return ipadb_simple_ldap_to_kerr(ret);
+
     ret = ldap_add_ext_s(ipactx->lcontext, dn, mods, NULL, NULL);
 
     /* first test if we need to retry to connect */
@@ -221,6 +241,10 @@ krb5_error_code ipadb_simple_modify(struct ipadb_context *ipactx,
 {
     int ret;
 
+    ret = ipadb_check_connection(ipactx);
+    if (ret != 0)
+        return ipadb_simple_ldap_to_kerr(ret);
+
     ret = ldap_modify_ext_s(ipactx->lcontext, dn, mods, NULL, NULL);
 
     /* first test if we need to retry to connect */
@@ -320,6 +344,11 @@ krb5_error_code ipadb_deref_search(struct ipadb_context *ipactx,
     retry = true;
     while (retry) {
         times--;
+
+        ret = ipadb_check_connection(ipactx);
+        if (ret != 0)
+            break;
+
         ret = ldap_search_ext_s(ipactx->lcontext, base_dn,
                                 scope, filter,
                                 entry_attrs, 0,
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to