From b901056ab1ca3ba2c482de5bcb15c077793996a9 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Wed, 28 Sep 2016 15:28:28 -0700 Subject: [PATCH] Ticket #48987 - Heap use after free in dblayer_close_indexes Description: Once an attribute info is deleted, its backpointer dblayer_handle_ai_backpointer in the dblayer handle needs to be set to NULL not to access the address again. --- ldap/servers/slapd/back-ldbm/dblayer.c | 1 - ldap/servers/slapd/back-ldbm/ldbm_attr.c | 4 ++++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c index 54f05ba..dd778a9 100644 --- a/ldap/servers/slapd/back-ldbm/dblayer.c +++ b/ldap/servers/slapd/back-ldbm/dblayer.c @@ -2516,7 +2516,6 @@ int dblayer_close_indexes(backend *be) pDB = handle->dblayer_dbp; return_value |= pDB->close(pDB,0); next = handle->dblayer_handle_next; - *((dblayer_handle **)handle->dblayer_handle_ai_backpointer) = NULL; slapi_ch_free((void**)&handle); } diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attr.c b/ldap/servers/slapd/back-ldbm/ldbm_attr.c index c748604..bfcc3fb 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_attr.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_attr.c @@ -59,6 +59,10 @@ attrinfo_delete(struct attrinfo **pp) slapi_ch_free((void**)&((*pp)->ai_attrcrypt)); attr_done(&((*pp)->ai_sattr)); attrinfo_delete_idlistinfo(&(*pp)->ai_idlistinfo); + if ((*pp)->ai_dblayer) { + /* attriinfo is deleted. Cleaning up the backpointer at the same time. */ + ((dblayer_handle *)((*pp)->ai_dblayer))->dblayer_handle_ai_backpointer = NULL; + } slapi_ch_free((void**)pp); *pp= NULL; } -- 2.4.11