Resolves: bug 458506

Bug Description: SASL bind can leak credentials in some cases
Reviewed by: nkinder, nhosoi (Thanks!)
Fix Description: There is this call in saslbind.c line 767:
   /* can't do any harm */
   if (cred->bv_len == 0) cred->bv_val = NULL;
apparently in some cases, cred bv_len is 0 but cred->bv_val is not-null.  This
causes a leak of cred->bv_val.
The fix is to make sure cred->bv_val is freed if bv_len is 0.  This should
catch all cases where this erroneous assumption is made.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none

1 files changed, 6 insertions, 0 deletions

diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 6b8314d2..b3e9f36d 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -189,6 +189,9 @@ do_bind( Slapi_PBlock *pb )
             ber_len_t clen;
             if (( ber_peek_tag( ber, &clen )) == LBER_OCTETSTRING ) {
                 rc = ber_scanf( ber, "o}}", &cred );
+                if (cred.bv_len == 0) {
+                    slapi_ch_free_string(&cred.bv_val);
+                }
             } else {
                 rc = ber_scanf( ber, "}}" );
             }
@@ -210,6 +213,9 @@ do_bind( Slapi_PBlock *pb )
         /* FALLTHROUGH */
     case LDAP_AUTH_SIMPLE:
         rc = ber_scanf( ber, "o}", &cred );
+        if (cred.bv_len == 0) {
+            slapi_ch_free_string(&cred.bv_val);
+        }
         break;
     default:
         log_bind_access (pb, slapi_sdn_get_dn (&sdn), method, version, saslmech, "Unknown bind method");