r26193: In the LDAP server, use the new 'controls_decoded' element to

determine if this (possibly critical) control has been decoded.  This
allows us to return an error, rather than just dropping the socket.

Andrew Bartlett

diff --git a/source/ldap_server/ldap_backend.c b/source/ldap_server/ldap_backend.c
index 5a953947f320d538db3f028b37a0ba3a3d48d4c5..a6697dfba8020fd653c858750d709e149acede43 100644 (file)
--- a/source/ldap_server/ldap_backend.c
+++ b/source/ldap_server/ldap_backend.c
@@ -720,6 +720,18 @@ static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call)
 
 NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
 {
+       int i;
+       struct ldap_message *msg = call->request;
+       /* Check for undecoded critical extensions */
+       for (i=0; msg->controls && msg->controls[i]; i++) {
+               if (!msg->controls_decoded[i] && 
+                   msg->controls[i]->critical) {
+                       DEBUG(3, ("ldapsrv_do_call: Critical extension %s is not known to this server\n",
+                                 msg->controls[i]->oid));
+                       return ldapsrv_unwilling(call, LDAP_UNAVAILABLE_CRITICAL_EXTENSION);
+               }
+       }
+
        switch(call->request->type) {
        case LDAP_TAG_BindRequest:
                return ldapsrv_BindRequest(call);