$OpenBSD: patch-servers_slapd_schema_init_c,v 1.1.1.1 2011/01/07 10:17:04 pea Exp $

SECURITY FIX

Resolves CVE-2010-0211 and CVE-2010-0212 (ITS#6570) 
from upstream

Also cure a crash in IA5StringNormalize() by sync'ing it with the same 
function from 2.4.23


--- servers/slapd/schema_init.c.orig	Mon Feb 11 18:24:17 2008
+++ servers/slapd/schema_init.c	Tue Aug  3 15:35:45 2010
@@ -1439,8 +1439,9 @@ UTF8StringNormalize(
 		? LDAP_UTF8_APPROX : 0;
 
 	val = UTF8bvnormalize( val, &tmp, flags, ctx );
+	/* out of memory or syntax error, the former is unlikely */
 	if( val == NULL ) {
-		return LDAP_OTHER;
+		return LDAP_INVALID_SYNTAX;
 	}
 	
 	/* collapse spaces (in place) */
@@ -2101,14 +2102,18 @@ IA5StringNormalize(
 	char *p, *q;
 	int casefold = !SLAP_MR_ASSOCIATED(mr, slap_schema.si_mr_caseExactIA5Match);
 
-	assert( SLAP_MR_IS_VALUE_OF_SYNTAX( use ));
+	assert( SLAP_MR_IS_VALUE_OF_SYNTAX( use ) != 0);
 
 	p = val->bv_val;
 
 	/* Ignore initial whitespace */
 	while ( ASCII_SPACE( *p ) ) p++;
 
-	normalized->bv_val = ber_strdup_x( p, ctx );
+	normalized->bv_len = val->bv_len - ( p - val->bv_val );
+	normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
+	AC_MEMCPY( normalized->bv_val, p, normalized->bv_len );
+	normalized->bv_val[normalized->bv_len] = '\0';
+
 	p = q = normalized->bv_val;
 
 	while ( *p ) {
@@ -2137,7 +2142,7 @@ IA5StringNormalize(
 	 * position.  One is enough because the above loop collapsed
 	 * all whitespace to a single space.
 	 */
-	if ( ASCII_SPACE( q[-1] ) ) --q;
+	if ( q > normalized->bv_val && ASCII_SPACE( q[-1] ) ) --q;
 
 	/* null terminate */
 	*q = '\0';