On Mon, Mar 25, 2013 at 10:56:05AM +0100, Petr Spacek wrote:
Hello,
Harden update-policy processing.
https://fedorahosted.org/bind-dyndb-ldap/ticket/111
This patch should prevent crashes similar to 'zonesub' problem
described in the ticket #111.
Ack
From 05d73392dc6c0f9f6f7a9e570e4382ccb3c66022 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 25 Mar 2013 10:52:50 +0100
Subject: [PATCH] Harden update-policy processing.
https://fedorahosted.org/bind-dyndb-ldap/ticket/111
Signed-off-by: Petr Spacek pspa...@redhat.com
---
src/acl.c | 41 -
1 file changed, 28 insertions(+), 13 deletions(-)
diff --git a/src/acl.c b/src/acl.c
index
ed3bdebcc027f3f5b7b2e9e084cf328ed4f6b1dd..3b5de00f8a40cbc1a876ea2b74e9c2093e48774c
100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -178,32 +178,48 @@ parse(cfg_parser_t *parser, const char *string,
cfg_type_t **type,
#define MATCH(string_rep, return_val)
\
do {\
if (!strcasecmp(str, string_rep)) { \
- return return_val; \
+ *value = return_val;\
+ return ISC_R_SUCCESS; \
} \
} while (0)
-static isc_boolean_t
-get_mode(const cfg_obj_t *obj)
+static isc_result_t
+get_mode(const cfg_obj_t *obj, isc_boolean_t *value)
{
const char *str;
+ if (!cfg_obj_istuple(obj)) {
+ log_bug(tuple is expected);
+ return ISC_R_UNEXPECTED;
+ }
obj = cfg_tuple_get(obj, mode);
+ if (!cfg_obj_isstring(obj)) {
+ log_bug(mode is not defined);
+ return ISC_R_UNEXPECTED;
+ }
str = cfg_obj_asstring(obj);
MATCH(grant, ISC_TRUE);
MATCH(deny, ISC_FALSE);
- INSIST(0);
- /* Not reached. */
- return ISC_FALSE;
+ log_bug(unsupported ACL mode '%s', str);
+ return ISC_R_NOTIMPLEMENTED;
}
-static unsigned int
-get_match_type(const cfg_obj_t *obj)
+static isc_result_t
+get_match_type(const cfg_obj_t *obj, unsigned int *value)
{
const char *str;
+ if (!cfg_obj_istuple(obj)) {
+ log_bug(tuple is expected);
+ return ISC_R_UNEXPECTED;
+ }
obj = cfg_tuple_get(obj, matchtype);
+ if (!cfg_obj_isstring(obj)) {
+ log_bug(matchtype is not defined);
+ return ISC_R_UNEXPECTED;
+ }
str = cfg_obj_asstring(obj);
MATCH(name, DNS_SSUMATCHTYPE_NAME);
@@ -232,9 +248,8 @@ get_match_type(const cfg_obj_t *obj)
MATCH(6to4-self, DNS_SSUMATCHTYPE_6TO4SELF);
#endif
- INSIST(0);
- /* Not reached. */
- return DNS_SSUMATCHTYPE_NAME;
+ log_bug(unsupported match type '%s', str);
+ return ISC_R_NOTIMPLEMENTED;
}
static isc_result_t
@@ -422,8 +437,8 @@ acl_configure_zone_ssutable(const char *policy_str,
dns_zone_t *zone)
types = NULL;
stmt = cfg_listelt_value(el);
- grant = get_mode(stmt);
- match_type = get_match_type(stmt);
+ CHECK(get_mode(stmt, grant));
+ CHECK(get_match_type(stmt, match_type));
CHECK(get_fixed_name(stmt, identity, fident));
--
1.7.11.7
--
Adam Tkac, Red Hat, Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel