[389-commits] ldap/servers

Tue Aug 7 19:48:59 UTC 2012

ldap/servers/slapd/filter.c |    2 ++
 ldap/servers/slapd/util.c   |    2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

New commits:
commit de8fd7d0e596e4de885b4dda6bf5329469880c45
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date:   Tue Aug 7 12:21:04 2012 -0700

    Ticket 328 - make sure all internal search filters are properly escaped
    
    Fix description:
    Fixing double-free issues introduced with commit 3cf9a521fa43183c657a5dca507dec3a4379e383.
    1) If ctx.buf is realloc'ed in filter_stuff_func, slapi_filter_sprintf
       returns already freed buf.  And the buf is freed by caller, again.
    2) If filter escape occurs in get_substring_filter, freed val is
       returned to caller via "struct slapi_filter *f" and it is freed
       again.

diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
index 65e9de4..2b35936 100644
--- a/ldap/servers/slapd/filter.c
+++ b/ldap/servers/slapd/filter.c
@@ -516,6 +516,7 @@ get_substring_filter(
 			if(eval){
 				slapi_ch_free_string(&val);
 				val = eval;
+				f->f_sub_initial = val;
 			}
 			*fstr = slapi_ch_realloc( *fstr, strlen( *fstr ) +
 			    strlen( val ) + 1 );
@@ -546,6 +547,7 @@ get_substring_filter(
 			if(eval){
 				slapi_ch_free_string(&val);
 				val = eval;
+				f->f_sub_final = val;
 			}
 			*fstr = slapi_ch_realloc( *fstr, strlen( *fstr ) +
 			    strlen( val ) + 2 );
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index fc399e7..a70910f 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -431,7 +431,7 @@ slapi_filter_sprintf(const char *fmt, ...)
     }
     va_end(args);
 
-    return buf;
+    return ctx.buf;
 }
 
 /*


