inet_ntoa is not thread-safe as it uses a static store, which may

result in a race condition, where for instance an IP based ACL
might result in a denial decision.

Fix this by changing these inet_ntoa's to inet_ntop with on-stack
store.

Reported by:	Damian Hazen <dhazen lbl.gov>

2 files changed, 71 insertions, 1 deletions

diff --git a/net/openldap24-server/Makefile b/net/openldap24-server/Makefile
index 70c6182fae6d..5bfde00dc65b 100644
--- a/net/openldap24-server/Makefile
+++ b/net/openldap24-server/Makefile
@@ -40,7 +40,7 @@ BROKEN=			incompatible OpenLDAP version: ${WANT_OPENLDAP_VER}
 .endif
 
 PORTREVISION_CLIENT=	2
-PORTREVISION_SERVER=	1
+PORTREVISION_SERVER=	2
 OPENLDAP_SHLIB_MAJOR=	8
 
 OPTIONS=	SASL "With (Cyrus) SASL2 support" off \
diff --git a/net/openldap24-server/files/patch-servers__slapd__inet_ntoa.diff b/net/openldap24-server/files/patch-servers__slapd__inet_ntoa.diff
new file mode 100644
index 000000000000..3d64dcade8f0
--- /dev/null
+++ b/net/openldap24-server/files/patch-servers__slapd__inet_ntoa.diff
@@ -0,0 +1,70 @@
+diff --git servers/slapd/connection.c servers/slapd/connection.c
+index aea3b39..65ce576 100644
+--- servers/slapd/connection.c
++++ servers/slapd/connection.c
+@@ -1500,12 +1500,21 @@ connection_input( Connection *conn , conn_readinfo *cri )
+ #ifdef LDAP_CONNECTIONLESS
+ 	if ( conn->c_is_udp ) {
+ 		char peername[sizeof("IP=255.255.255.255:65336")];
++		const char *peeraddr = NULL;
+ 
+ 		len = ber_int_sb_read(conn->c_sb, &peeraddr, sizeof(struct sockaddr));
+ 		if (len != sizeof(struct sockaddr)) return 1;
+ 
++#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
++		char addr[INET_ADDRSTRLEN];
++		inet_ntop( AF_INET, &peeraddr.sa_in_addr.sin_addr,
++			   addr, sizeof(addr) );
++		peeraddr = addr;
++#else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
++		peeraddr = inet_ntoa( peeraddr.sa_in_addr.sin_addr );
++#endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
+ 		sprintf( peername, "IP=%s:%d",
+-			inet_ntoa( peeraddr.sa_in_addr.sin_addr ),
++			 peeraddr,
+ 			(unsigned) ntohs( peeraddr.sa_in_addr.sin_port ) );
+ 		Statslog( LDAP_DEBUG_STATS,
+ 			"conn=%lu UDP request from %s (%s) accepted.\n",
+diff --git servers/slapd/daemon.c servers/slapd/daemon.c
+index 8e8a69d..ccfa2ee 100644
+--- servers/slapd/daemon.c
++++ servers/slapd/daemon.c
+@@ -1971,8 +1971,16 @@ slap_listener(
+ #  ifdef LDAP_PF_INET6
+ 	case AF_INET6:
+ 	if ( IN6_IS_ADDR_V4MAPPED(&from.sa_in6_addr.sin6_addr) ) {
++#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
++		char addr[INET_ADDRSTRLEN];
++		inet_ntop( AF_INET,
++			   ((struct in_addr *)&from.sa_in6_addr.sin6_addr.s6_addr[12]),
++			   addr, sizeof(addr) );
++		peeraddr = addr;
++#else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
+ 		peeraddr = inet_ntoa( *((struct in_addr *)
+ 					&from.sa_in6_addr.sin6_addr.s6_addr[12]) );
++#endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
+ 		sprintf( peername, "IP=%s:%d",
+ 			 peeraddr != NULL ? peeraddr : SLAP_STRING_UNKNOWN,
+ 			 (unsigned) ntohs( from.sa_in6_addr.sin6_port ) );
+@@ -1989,12 +1997,19 @@ slap_listener(
+ 	break;
+ #  endif /* LDAP_PF_INET6 */
+ 
+-	case AF_INET:
++	case AF_INET: {
++#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
++		char addr[INET_ADDRSTRLEN];
++		inet_ntop( AF_INET, &from.sa_in_addr.sin_addr,
++			   addr, sizeof(addr) );
++		peeraddr = addr;
++#else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
+ 		peeraddr = inet_ntoa( from.sa_in_addr.sin_addr );
++#endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
+ 		sprintf( peername, "IP=%s:%d",
+ 			peeraddr != NULL ? peeraddr : SLAP_STRING_UNKNOWN,
+ 			(unsigned) ntohs( from.sa_in_addr.sin_port ) );
+-		break;
++		} break;
+ 
+ 	default:
+ 		slapd_close(sfd);