diff options
| author | Rich Megginson <rmeggins@redhat.com> | 2006-02-23 20:45:22 +0000 |
|---|---|---|
| committer | Rich Megginson <rmeggins@redhat.com> | 2006-02-23 20:45:22 +0000 |
| commit | d62cdb091aae94777755f2db4e00cab968289202 (patch) | |
| tree | ed6afecbe7435cbd1a372188f7216051fa49eb1e /ldap/servers/plugins/replication | |
| parent | 797845db5ad09f0656bc954e335669603ef47a17 (diff) | |
Bug(s) fixed: 179135
Bug Description: memory leaks using ber_scanf when handling bad BER packets
Reviewed by: All (Thanks!)
Files: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=123783
Branch: HEAD
Fix Description:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135#c0
I basically did a search through our code for all calls to ber_scanf,
ber_get_stringa, and ber_get_stringal and made sure we properly free any
arguments that may have been allocated. There was a bug in the ldapsdk
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135 that causes
us to free uninitialized memory when trying to clean up the result of
ber_get_stringal (or ber_scanf with 'V'). I had to initialize some
variables to NULL so that we could properly clean them up, and added
some additional clean ups that were missing. Also, in repl_extop.c, we
were calling free on an array that we should have been calling
ch_array_free on. Yet another lesson in the evils of slapi_ch_free and
disabling compiler type checks in general.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
Diffstat (limited to 'ldap/servers/plugins/replication')
| -rw-r--r-- | ldap/servers/plugins/replication/repl5_total.c | 5 | ||||
| -rw-r--r-- | ldap/servers/plugins/replication/repl_controls.c | 8 | ||||
| -rw-r--r-- | ldap/servers/plugins/replication/repl_extop.c | 3 |
3 files changed, 10 insertions, 6 deletions
diff --git a/ldap/servers/plugins/replication/repl5_total.c b/ldap/servers/plugins/replication/repl5_total.c index 65d719e4..a5cab31d 100644 --- a/ldap/servers/plugins/replication/repl5_total.c +++ b/ldap/servers/plugins/replication/repl5_total.c @@ -585,7 +585,7 @@ my_ber_scanf_attr (BerElement *ber, Slapi_Attr **attr, PRBool *deleted) char *lasti; unsigned long len; unsigned long tag; - char *str; + char *str = NULL; int rc; Slapi_Value *value; @@ -685,6 +685,9 @@ loser: if (value) slapi_value_free (&value); + slapi_ch_free_string(&attrtype); + slapi_ch_free_string(&str); + return -1; } diff --git a/ldap/servers/plugins/replication/repl_controls.c b/ldap/servers/plugins/replication/repl_controls.c index 51e9900c..2cf0f928 100644 --- a/ldap/servers/plugins/replication/repl_controls.c +++ b/ldap/servers/plugins/replication/repl_controls.c @@ -349,15 +349,15 @@ add_repl_control_mods( Slapi_PBlock *pb, Slapi_Mods *smods ) emtag != LBER_ERROR && emtag != LBER_END_OF_SEQORSET; emtag = ber_next_element( ember, &emlen, emlast )) { - struct berval **embvals; - if ( ber_scanf( ember, "{i{a[V]}}", &op, &type, &embvals ) == LBER_ERROR ) + struct berval **embvals = NULL; + type = NULL; + if ( ber_scanf( ember, "{i{a[V]}}", &op, &type, &embvals ) != LBER_ERROR ) { - continue; + slapi_mods_add_modbvps( smods, op, type, embvals); /* GGOODREPL I suspect this will cause two sets of lastmods attr values to end up in the entry. We need to remove the old ones. */ } - slapi_mods_add_modbvps( smods, op, type, embvals); free( type ); ber_bvecfree( embvals ); } diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c index 22b829f7..132657ab 100644 --- a/ldap/servers/plugins/replication/repl_extop.c +++ b/ldap/servers/plugins/replication/repl_extop.c @@ -384,7 +384,8 @@ free_and_return: /* slapi_ch_free accepts NULL pointer */ slapi_ch_free ((void**)protocol_oid); slapi_ch_free ((void**)repl_root); - slapi_ch_free ((void **)extra_referrals); + slapi_ch_array_free (*extra_referrals); + *extra_referrals = NULL; slapi_ch_free ((void**)csnstr); if (*supplier_ruv) |