Andrew Bartlett abartlet at samba.org
Mon Aug 17 04:41:27 UTC 2015

Sadly there is a segfault (DoS) bug in our new
LDAP_MATCH_RULE_TRANSITIVE_EVAL support added back in March this year. 


I've not had a chance to look into the details, but given that 4.3 RC3
is due tomorrow, I don't want to take any chances and here is the patch
to remove it again.

I've asked Adrian to look into this issue next, but this won't happen
fast enough for 4.3 I fear.  

We have two options for master:
 - keep the broken code and hope we get a patch soon
 - apply the attached revert.

For 4.3, unless we get a patch and fix before 4.3rc3, I see no option
other than to revert (possibly with cherry-pick markers).  

See attached.  Please discuss and review if appropriate. 


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: remove_ldb_match_in_chain.patch
Type: text/x-patch
Size: 15814 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150817/9b81f3a5/remove_ldb_match_in_chain.bin>

More information about the samba-technical mailing list