diff options
author | Rich Megginson <rmeggins@redhat.com> | 2008-08-28 17:19:52 +0000 |
---|---|---|
committer | Rich Megginson <rmeggins@redhat.com> | 2008-08-28 17:19:52 +0000 |
commit | 6bc259c11648699c13fc0edf7feb1ac11ee83b0b (patch) | |
tree | 402b672db5137525a4d6677c006dac5c83129ce9 | |
parent | 9698ac766c3dd7fb7e95fd01aa11859d1428f25b (diff) | |
download | ds-6bc259c11648699c13fc0edf7feb1ac11ee83b0b.tar.gz ds-6bc259c11648699c13fc0edf7feb1ac11ee83b0b.tar.xz ds-6bc259c11648699c13fc0edf7feb1ac11ee83b0b.zip |
Resolves: bug 458506
Bug Description: SASL bind can leak credentials in some cases
Reviewed by: nkinder, nhosoi (Thanks!)
Fix Description: There is this call in saslbind.c line 767:
/* can't do any harm */
if (cred->bv_len == 0) cred->bv_val = NULL;
apparently in some cases, cred bv_len is 0 but cred->bv_val is not-null. This
causes a leak of cred->bv_val.
The fix is to make sure cred->bv_val is freed if bv_len is 0. This should
catch all cases where this erroneous assumption is made.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
-rw-r--r-- | ldap/servers/slapd/bind.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index 6b8314d2..b3e9f36d 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -189,6 +189,9 @@ do_bind( Slapi_PBlock *pb ) ber_len_t clen; if (( ber_peek_tag( ber, &clen )) == LBER_OCTETSTRING ) { rc = ber_scanf( ber, "o}}", &cred ); + if (cred.bv_len == 0) { + slapi_ch_free_string(&cred.bv_val); + } } else { rc = ber_scanf( ber, "}}" ); } @@ -210,6 +213,9 @@ do_bind( Slapi_PBlock *pb ) /* FALLTHROUGH */ case LDAP_AUTH_SIMPLE: rc = ber_scanf( ber, "o}", &cred ); + if (cred.bv_len == 0) { + slapi_ch_free_string(&cred.bv_val); + } break; default: log_bind_access (pb, slapi_sdn_get_dn (&sdn), method, version, saslmech, "Unknown bind method"); |