Bug(s) fixed: 179135

Bug Description: memory leaks using ber_scanf when handling bad BER packets
Reviewed by: All (Thanks!)
Files: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=123783
Branch: HEAD
Fix Description:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135#c0
I basically did a search through our code for all calls to ber_scanf,
ber_get_stringa, and ber_get_stringal and made sure we properly free any
arguments that may have been allocated.  There was a bug in the ldapsdk
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135 that causes
us to free uninitialized memory when trying to clean up the result of
ber_get_stringal (or ber_scanf with 'V').  I had to initialize some
variables to NULL so that we could properly clean them up, and added
some additional clean ups that were missing.  Also, in repl_extop.c, we
were calling free on an array that we should have been calling
ch_array_free on.  Yet another lesson in the evils of slapi_ch_free and
disabling compiler type checks in general.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no

1 files changed, 4 insertions, 4 deletions

diff --git a/ldap/servers/slapd/modrdn.c b/ldap/servers/slapd/modrdn.c
index 1f53a641..64ccccf4 100644
--- a/ldap/servers/slapd/modrdn.c
+++ b/ldap/servers/slapd/modrdn.c
@@ -66,10 +66,10 @@ do_modrdn( Slapi_PBlock *pb )
 {
 	Slapi_Operation *operation;
 	BerElement	*ber;
-	char		*dn, *newsuperior = NULL;
+	char		*dn = NULL, *newsuperior = NULL;
 	char        *newrdn = NULL;
-	int			err, deloldrdn;
-	unsigned long	len;
+	int			err = 0, deloldrdn = 0;
+	unsigned long	len = 0;
 
 	LDAPDebug( LDAP_DEBUG_TRACE, "do_modrdn\n", 0, 0, 0 );
 
@@ -99,7 +99,7 @@ do_modrdn( Slapi_PBlock *pb )
 		send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
 		    "unable to decode DN, newRDN, or deleteOldRDN parameters",
 		    0, NULL );
-		return;
+        goto free_and_return;
 	}
 
 	if ( ber_peek_tag( ber, &len ) == LDAP_TAG_NEWSUPERIOR ) {