mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert when

some are not password-protected.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@915295 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 96088f9d71dfeee566c9903f1fdb5c1383e69b43..682ef61224e9285973bd4a38c83a06cb63858288 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.3.7
 
+  *) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert
+     when some are not password-protected. [Eric Covener]
+
   *) Fix startup segfault when the Mutex directive is used but no loaded 
      modules use httpd mutexes.  PR 48787.  [Jeff Trawick]
 

diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index b3a42bede22d806c2a576b3157d76c70c5c5f9ad..b6f3a35b55e8169fb9ec41cb20e60638bc476bd5 100644 (file)
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -625,9 +625,12 @@ static int compare_client_certs(apr_array_header_t *srcs,
     src = (struct apr_ldap_opt_tls_cert_t *)srcs->elts;
     dest = (struct apr_ldap_opt_tls_cert_t *)dests->elts;
     for (i = 0; i < srcs->nelts; i++) {
-        if (strcmp(src[i].path, dest[i].path) ||
-            strcmp(src[i].password, dest[i].password) ||
-            src[i].type != dest[i].type) {
+        if ((strcmp(src[i].path, dest[i].path)) ||
+            (src[i].type != dest[i].type) ||
+            /* One is passwordless? If so, then not equal */
+            ((src[i].password == NULL) ^ (dest[i].password == NULL)) ||
+            (src[i].password != NULL && dest[i].password != NULL &&
+             strcmp(src[i].password, dest[i].password))) {
             return 1;
         }
     }