From 839e52c73e04e782c8069fe9c9e1aeea0b73a1c0 Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Mon, 13 Sep 2010 09:20:21 -0700 Subject: Bug 630097 - (cov#11933) Fix NULL dereference in schema code There is a possibility of deferencing prevocp when it is NULL the second time through the loop if the first pass was not a standard objectclass definition and tmpocp != curlisthead. I don't think that this issue is possible unless some other thread was able to modify tmpocp->oc_next between where curlisthead is set (schema.c:2654) and where nextocp is set (schema.c:2658) the first time through the loop. That said, I see no harm in checking if prevocp is NULL before attempting to dereference it. --- ldap/servers/slapd/schema.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c index 6e2fefe7..14f3e765 100644 --- a/ldap/servers/slapd/schema.c +++ b/ldap/servers/slapd/schema.c @@ -2653,7 +2653,9 @@ clean_up_and_return: if ( tmpocp == curlisthead ) { curlisthead = tmpocp->oc_next; } else { - prevocp->oc_next = tmpocp->oc_next; + if (prevocp) { + prevocp->oc_next = tmpocp->oc_next; + } } nextocp = tmpocp->oc_next; oc_free( &tmpocp ); -- cgit