diff options
author | Rich Megginson <rmeggins@redhat.com> | 2008-08-27 21:05:17 +0000 |
---|---|---|
committer | Rich Megginson <rmeggins@redhat.com> | 2008-08-27 21:05:17 +0000 |
commit | 3cbd862d52228960b9a9a735b81d4a2da14d0ee9 (patch) | |
tree | c2b0a39b0f8a1673b620251324a682f9bd8b0d78 | |
parent | f38168d04718776fac0c0ab09f095837d24d4503 (diff) | |
download | ds-3cbd862d52228960b9a9a735b81d4a2da14d0ee9.tar.gz ds-3cbd862d52228960b9a9a735b81d4a2da14d0ee9.tar.xz ds-3cbd862d52228960b9a9a735b81d4a2da14d0ee9.zip |
Resolves: bug 458506
Bug Description: SASL bind can leak credentials in some cases
Reviewed by: nkinder, nhosoi (Thanks!)
Branch: HEAD
Fix Description: There is this call in saslbind.c line 767:
/* can't do any harm */
if (cred->bv_len == 0) cred->bv_val = NULL;
apparently in some cases, cred bv_len is 0 but cred->bv_val is not-null. This
causes a leak of cred->bv_val.
The fix is to make sure cred->bv_val is freed if bv_len is 0. This should
catch all cases where this erroneous assumption is made.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
-rw-r--r-- | ldap/servers/slapd/bind.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index aede545c..0e940903 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -189,6 +189,9 @@ do_bind( Slapi_PBlock *pb ) ber_len_t clen; if (( ber_peek_tag( ber, &clen )) == LBER_OCTETSTRING ) { rc = ber_scanf( ber, "o}}", &cred ); + if (cred.bv_len == 0) { + slapi_ch_free_string(&cred.bv_val); + } } else { rc = ber_scanf( ber, "}}" ); } @@ -210,6 +213,9 @@ do_bind( Slapi_PBlock *pb ) /* FALLTHROUGH */ case LDAP_AUTH_SIMPLE: rc = ber_scanf( ber, "o}", &cred ); + if (cred.bv_len == 0) { + slapi_ch_free_string(&cred.bv_val); + } break; default: log_bind_access (pb, slapi_sdn_get_dn (&sdn), method, version, saslmech, "Unknown bind method"); |