[389-commits] ldap/servers

[Noriko Hosoi]

 ldap/servers/slapd/pagedresults.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

New commits:
commit 298371d372678cf553594ae73ae57a6ea35358bf
Author: Noriko Hosoi <nhosoi at redhat.com>
Date:   Fri Jun 5 10:13:17 2015 -0700

    Ticket #48192 - Individual abandoned simple paged results request has no chance to be cleaned up
    
    Description: Checking the cookie value passed by the client was not
    sufficient.  The negative value check was missing, which lead to
    the simple paged results array out of bounds.  Plus, a minor memory
    leak was fixed.  Thanks to Thierry Bordaz for his reviews!
    
    https://fedorahosted.org/389/ticket/48192

diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index 402dd10..2e70e19 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -177,14 +177,14 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
         memcpy(ptr, cookie.bv_val, cookie.bv_len);
         *(ptr+cookie.bv_len) = '\0';
         *index = strtol(ptr, NULL, 10);
-        if (conn->c_pagedresults.prl_maxlen <= *index) {
+        slapi_ch_free_string(&ptr);
+        if ((conn->c_pagedresults.prl_maxlen <= *index) || (*index < 0)){
             rc = LDAP_PROTOCOL_ERROR;
             LDAPDebug1Arg(LDAP_DEBUG_ANY,
                           "pagedresults_parse_control_value: invalid cookie: %d\n",
                           *index);
             goto bail;
         }
-        slapi_ch_free_string(&ptr);
         prp = conn->c_pagedresults.prl_list + *index;
         if (!(prp->pr_search_result_set)) { /* freed and reused for the next backend. */
             conn->c_pagedresults.prl_count++;