From 19a78e49699d9ac89c44fbe7715837f9f2ad567f Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Wed, 23 Dec 2015 13:33:56 +1000
Subject: [PATCH] Ticket 48395 - ASAN - Use after free in uiduniq 7bit.c

Bug Description:   Asan detected a use after free in 7bit.c during a modrdn
operation. This may cause the directory to crash if a specially crafted modrdn
request is made, or may be exploitable in some other way.

Fix Description:  We move the issue_error directive before the slapi_entry is
freed, which means that we are using before the free instead.

https://fedorahosted.org/389/ticket/48395

Author: wibrown

Review by: ???
---
 dirsrvtests/tmp/__init__.py         |  0
 ldap/servers/plugins/uiduniq/7bit.c | 13 ++++++++-----
 2 files changed, 8 insertions(+), 5 deletions(-)
 delete mode 100644 dirsrvtests/tmp/__init__.py

diff --git a/dirsrvtests/tmp/__init__.py b/dirsrvtests/tmp/__init__.py
deleted file mode 100644
index e69de29..0000000
diff --git a/ldap/servers/plugins/uiduniq/7bit.c b/ldap/servers/plugins/uiduniq/7bit.c
index bb7dc64..fe43f98 100644
--- a/ldap/servers/plugins/uiduniq/7bit.c
+++ b/ldap/servers/plugins/uiduniq/7bit.c
@@ -650,17 +650,20 @@ preop_modrdn(Slapi_PBlock *pb)
         }
       }
       /* don't have to go on if there is a value not 7-bit clean */
-      if (result) break;
+      if (result) {
+        /* WB we need to issue the error before we free slapi_entry, else we
+         * are triggering a use after free because we free violated.
+         */
+        issue_error(pb, result, "MODRDN", violated);
+        break;
+      }
+
     }
   END
 
   /* Clean-up */
   if (e) slapi_entry_free(e);
 
-  if (result) {
-    issue_error(pb, result, "MODRDN", violated);
-  }
-
   return (result==LDAP_SUCCESS)?0:-1;
 }
 
-- 
2.5.0