fix small issues with dynacl and ACI in general

servers/slapd/acl.c

@@ -1387,14 +1387,15 @@ slap_acl_mask(
 	AccessControlState	*state )
 {
 	int		i;
-	Access	*b;
+	Access		*b;
 #ifdef LDAP_DEBUG
-	char accessmaskbuf[ACCESSMASK_MAXLEN];
+	char		accessmaskbuf[ACCESSMASK_MAXLEN];
 #if !defined( SLAP_DYNACL ) && defined( SLAPD_ACI_ENABLED )
-	char accessmaskbuf1[ACCESSMASK_MAXLEN];
+	char		accessmaskbuf1[ACCESSMASK_MAXLEN];
 #endif /* !SLAP_DYNACL && SLAPD_ACI_ENABLED */
 #endif /* DEBUG */
-	const char *attr;
+	const char	*attr;
+	slap_mask_t	a2pmask = ACL_ACCESS2PRIV( *mask );
 
 	assert( a != NULL );
 	assert( mask != NULL );
@@ -1973,7 +1974,7 @@ slap_acl_mask(
 			/* first check if the right being requested
 			 * is allowed by the ACL clause.
 			 */
-			if ( ! ACL_GRANT( b->a_access_mask, *mask ) ) {
+			if ( ! ACL_PRIV_ISSET( b->a_access_mask, a2pmask ) ) {
 				continue;
 			}
 
@@ -1982,7 +1983,11 @@ slap_acl_mask(
 			ACL_INIT(tdeny);
 
 			for ( da = b->a_dynacl; da; da = da->da_next ) {
-				slap_access_t	grant, deny;
+				slap_access_t	grant,
+						deny;
+
+				ACL_INIT(grant);
+				ACL_INIT(deny);
 
 				Debug( LDAP_DEBUG_ACL, "    <= check a_dynacl: %s\n",
 					da->da_name, 0, 0 );
@@ -2067,11 +2072,11 @@ slap_acl_mask(
 				* rights given by the acis.
 				*/
 				for ( i = 0; !BER_BVISNULL( &at->a_nvals[i] ); i++ ) {
-					if (aci_mask( op,
+					if ( aci_mask( op,
 						e, desc, val,
 						&at->a_nvals[i],
 						nmatch, matches,
-						&grant, &deny, SLAP_ACI_SCOPE_ENTRY ) != 0)
+						&grant, &deny, SLAP_ACI_SCOPE_ENTRY ) != 0 )
 					{
 						tgrant |= grant;
 						tdeny |= deny;
@@ -2098,13 +2103,13 @@ slap_acl_mask(
 							break;
 						}
 
-						for( i = 0; bvals[i].bv_val != NULL; i++){
+						for ( i = 0; !BER_BVISNULL( &bvals[i] ); i++ ) {
 #if 0
 							/* FIXME: this breaks acl caching;
 							 * see also ACL_RECORD_VALUE_STATE above */
 							ACL_RECORD_VALUE_STATE;
 #endif
-							if (aci_mask(op, e, desc, val, &bvals[i],
+							if ( aci_mask( op, e, desc, val, &bvals[i],
 									nmatch, matches,
 									&grant, &deny, SLAP_ACI_SCOPE_CHILDREN ) != 0 )
 							{
@@ -2213,6 +2218,8 @@ slap_acl_mask(
 			*mask = modmask;
 		}
 
+		a2pmask = *mask;
+
 		Debug( LDAP_DEBUG_ACL,
 			"<= acl_mask: [%d] mask: %s\n",
 			i, accessmask2str(*mask, accessmaskbuf, 1), 0 );

servers/slapd/aclparse.c

@@ -2250,6 +2250,20 @@ access_free( Access *a )
 	if ( !BER_BVISNULL( &a->a_group_pat ) ) {
 		free( a->a_group_pat.bv_val );
 	}
+	if ( a->a_dynacl != NULL ) {
+		slap_dynacl_t	*da;
+		for ( da = a->a_dynacl; da; ) {
+			slap_dynacl_t	*tmp = da;
+
+			da = da->da_next;
+
+			if ( tmp->da_destroy ) {
+				tmp->da_destroy( tmp->da_private );
+			}
+
+			ch_free( tmp );
+		}
+	}
 	free( a );
 }
 
@@ -2263,6 +2277,9 @@ acl_free( AccessControl *a )
 		filter_free( a->acl_filter );
 	}
 	if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
+		if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
+			regfree( &a->acl_dn_re );
+		}
 		free ( a->acl_dn_pat.bv_val );
 	}
 	if ( a->acl_attrs ) {
@@ -2523,8 +2540,9 @@ access2text( Access *b, char *ptr )
 
 		for ( da = b->a_dynacl; da; da = da->da_next ) {
 			if ( da->da_unparse ) {
-				struct berval bv;
+				struct berval bv = BER_BVNULL;
 				(void)( *da->da_unparse )( da->da_private, &bv );
+				assert( !BER_BVISNULL( &bv ) );
 				ptr = lutil_strcopy( ptr, bv.bv_val );
 				ch_free( bv.bv_val );
 			}