diff options
author | Rich Megginson <rmeggins@redhat.com> | 2006-02-23 20:45:22 +0000 |
---|---|---|
committer | Rich Megginson <rmeggins@redhat.com> | 2006-02-23 20:45:22 +0000 |
commit | d62cdb091aae94777755f2db4e00cab968289202 (patch) | |
tree | ed6afecbe7435cbd1a372188f7216051fa49eb1e /ldap/servers/slapd/add.c | |
parent | 797845db5ad09f0656bc954e335669603ef47a17 (diff) | |
download | ds-d62cdb091aae94777755f2db4e00cab968289202.tar.gz ds-d62cdb091aae94777755f2db4e00cab968289202.tar.xz ds-d62cdb091aae94777755f2db4e00cab968289202.zip |
Bug(s) fixed: 179135
Bug Description: memory leaks using ber_scanf when handling bad BER packets
Reviewed by: All (Thanks!)
Files: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=123783
Branch: HEAD
Fix Description:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135#c0
I basically did a search through our code for all calls to ber_scanf,
ber_get_stringa, and ber_get_stringal and made sure we properly free any
arguments that may have been allocated. There was a bug in the ldapsdk
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135 that causes
us to free uninitialized memory when trying to clean up the result of
ber_get_stringal (or ber_scanf with 'V'). I had to initialize some
variables to NULL so that we could properly clean them up, and added
some additional clean ups that were missing. Also, in repl_extop.c, we
were calling free on an array that we should have been calling
ch_array_free on. Yet another lesson in the evils of slapi_ch_free and
disabling compiler type checks in general.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
Diffstat (limited to 'ldap/servers/slapd/add.c')
-rw-r--r-- | ldap/servers/slapd/add.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c index bdae324a..d8bfe328 100644 --- a/ldap/servers/slapd/add.c +++ b/ldap/servers/slapd/add.c @@ -102,8 +102,9 @@ do_add( Slapi_PBlock *pb ) */ /* get the name */ { - char *dn; + char *dn = NULL; if ( ber_scanf( ber, "{a", &dn ) == LBER_ERROR ) { + slapi_ch_free_string(&dn); LDAPDebug( LDAP_DEBUG_ANY, "ber_scanf failed (op=Add; params=DN)\n", 0, 0, 0 ); op_shared_log_error_access (pb, "ADD", "???", "decoding error"); @@ -121,11 +122,13 @@ do_add( Slapi_PBlock *pb ) tag != LBER_DEFAULT && tag != LBER_END_OF_SEQORSET; tag = ber_next_element( ber, &len, last ) ) { char *type = NULL, *normtype = NULL; - struct berval **vals; + struct berval **vals = NULL; if ( ber_scanf( ber, "{a{V}}", &type, &vals ) == LBER_ERROR ) { op_shared_log_error_access (pb, "ADD", slapi_sdn_get_dn (slapi_entry_get_sdn_const(e)), "decoding error"); send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, "decoding error", 0, NULL ); + slapi_ch_free_string(&type); + ber_bvecfree( vals ); goto free_and_return; } @@ -134,7 +137,7 @@ do_add( Slapi_PBlock *pb ) op_shared_log_error_access (pb, "ADD", slapi_sdn_get_dn (slapi_entry_get_sdn_const(e)), "null value"); send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, NULL, 0, NULL ); - free( type ); + slapi_ch_free_string(&type); goto free_and_return; } @@ -144,7 +147,7 @@ do_add( Slapi_PBlock *pb ) PR_snprintf (ebuf, BUFSIZ, "invalid type '%s'", type); op_shared_log_error_access (pb, "ADD", slapi_sdn_get_dn (slapi_entry_get_sdn_const(e)), ebuf); send_ldap_result( pb, rc, NULL, ebuf, 0, NULL ); - free( type ); + slapi_ch_free_string(&type); slapi_ch_free( (void**)&normtype ); ber_bvecfree( vals ); goto free_and_return; |