September 2010 - 389-commits - Fedora Mailing-Lists

coolkey/src/coolkey machdep.cpp,1.9,1.10

by Robert Relyea

Author: rrelyea Update of /cvs/dirsec/coolkey/src/coolkey In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv4615 Modified Files: machdep.cpp Log Message: Fix incorrect unlink in error path Index: machdep.cpp =================================================================== RCS file: /cvs/dirsec/coolkey/src/coolkey/machdep.cpp,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- machdep.cpp 8 Sep 2010 20:55:30 -0000 1.9 +++ machdep.cpp 20 Sep 2010 22:11:38 -0000 1.10 @@ -364,7 +364,7 @@ } ret = write(shmemData->fd,buf,len); if (ret != len) { - unlink(shmemData->fd,buf,len); + unlink(shmemData->path); #ifdef FULL_CLEANUP flock(shmemData->fd, LOCK_UN); #endif

13 years, 7 months

1
0
0 / 0

lib/libaccess

by Nathan Kinder

lib/libaccess/acl.tab.cpp | 4 ++++ 1 file changed, 4 insertions(+) New commits: commit 62cc84cec98c46d5792178d483f8780d43537d0a Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Fri Sep 17 18:25:48 2010 -0400 Bug 630092 - Coverity #11992,11993: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The acl_Parse() has been modified to release newacls and newaclv when an error occurs. diff --git a/lib/libaccess/acl.tab.cpp b/lib/libaccess/acl.tab.cpp index 5f6610d..ddf40a6 100644 --- a/lib/libaccess/acl.tab.cpp +++ b/lib/libaccess/acl.tab.cpp @@ -846,7 +846,11 @@ int acl_Parse() aclv = ACLCOPY(newaclv, aclv, ACLSTYPE); } else + { aclnewmax = 0; /* failed */ + if (newacls) PERM_FREE(newacls); + if (newaclv) PERM_FREE(newaclv); + } } else /* not first time */ {

13 years, 7 months

1
0
0 / 0

7 commits - ldap/servers lib/ldaputil

by Nathan Kinder

ldap/servers/plugins/acl/acllas.c | 4 +--- ldap/servers/plugins/cos/cos_cache.c | 1 + ldap/servers/slapd/libglobs.c | 2 +- ldap/servers/slapd/plugin.c | 4 ++-- ldap/servers/slapd/str2filter.c | 1 + ldap/servers/slapd/tools/ldclt/scalab01.c | 18 +++++++++++++----- lib/ldaputil/certmap.c | 1 + 7 files changed, 20 insertions(+), 11 deletions(-) New commits: commit e84ef2eceaeaae02acf62b74b37be8e9b2ac59bc Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Fri Sep 17 16:37:27 2010 -0400 Bug 630092 - Coverity #11985: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The str2simple() has been modified to release unqstr when an error occurs. diff --git a/ldap/servers/slapd/str2filter.c b/ldap/servers/slapd/str2filter.c index 0dd91a5..9ffcf24 100644 --- a/ldap/servers/slapd/str2filter.c +++ b/ldap/servers/slapd/str2filter.c @@ -320,6 +320,7 @@ str2simple( char *str , int unescape_filter) value[len] = savechar; if (!r) { slapi_filter_free(f, 1); + slapi_ch_free((void**)&unqstr); return NULL; } f->f_avvalue.bv_val = unqstr; commit a9b98efb4fda1672e915a6d4cbbad1b096e8f66d Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Fri Sep 17 17:07:54 2010 -0400 Bug 630092 - Coverity #12003: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The cos_cache_add_defn() has been modified to release theDef when an error occurs. diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c index e20fd0d..db99586 100644 --- a/ldap/servers/plugins/cos/cos_cache.c +++ b/ldap/servers/plugins/cos/cos_cache.c @@ -1498,6 +1498,7 @@ static int cos_cache_add_defn( out: if(ret < 0) { + slapi_ch_free((void**)&theDef); if(dn) cos_cache_del_attrval_list(dn); if(tree) commit 16b151c38f14f9ca7eed6611df44c1c5d1fca42f Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Fri Sep 17 16:58:53 2010 -0400 Bug 630092 - Coverity #12000: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The plugin_setup() has been modified to release the value before it returns. diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c index aa54426..b8257d1 100644 --- a/ldap/servers/slapd/plugin.c +++ b/ldap/servers/slapd/plugin.c @@ -2270,6 +2270,7 @@ plugin_setup(Slapi_Entry *plugin_entry, struct slapi_componentid *group, plugin->plg_initfunc, plugin->plg_name, plugin->plg_libpath); status = -1; + slapi_ch_free((void**)&value); goto PLUGIN_CLEANUP; } @@ -2277,8 +2278,7 @@ plugin_setup(Slapi_Entry *plugin_entry, struct slapi_componentid *group, status = plugin_add_descriptive_attributes( plugin_entry, plugin ); } - if (value) - slapi_ch_free((void**)&value); + slapi_ch_free((void**)&value); if(enabled) { commit a076dbbf8eefee8c84b0c7af12f9d2819db11452 Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Fri Sep 17 16:46:03 2010 -0400 Bug 630092 - Coverity #11991: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The acllas__client_match_URL() has been modified to release the hostport before it returns. diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c index 6271fb1..99b0281 100644 --- a/ldap/servers/plugins/acl/acllas.c +++ b/ldap/servers/plugins/acl/acllas.c @@ -3606,9 +3606,6 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url /* dn was allocated in slapi_dn_normalize_ext */ slapi_ch_free_string(&dn); } - if (hostport && ('/' != *hostport)) { - slapi_ch_free_string(&hostport); - } rc = slapi_ldap_url_parse(normed, &ludp, 1, NULL); if (rc) { slapi_log_error( SLAPI_LOG_FATAL, plugin_name, @@ -3673,6 +3670,7 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url result = ACL_FALSE; done: + slapi_ch_free_string(&hostport); ldap_free_urldesc( ludp ); slapi_ch_free_string(&normed); slapi_filter_free ( f, 1 ) ; commit 9433fc73f04520ce7f309fef6bcc4052146d34fe Author: Nathan Kinder <nkinder(a)redhat.com> Date: Fri Sep 17 14:14:53 2010 -0700 Bug 630092 - (cov#12068) Resource leak in certmap code The ldapu_propval_list_free() function was freeing the nodes in the list, but not the list itself. We need to free the list itself after all of the nodes have been freed. diff --git a/lib/ldaputil/certmap.c b/lib/ldaputil/certmap.c index 9c6b2ba..f3da425 100644 --- a/lib/ldaputil/certmap.c +++ b/lib/ldaputil/certmap.c @@ -1472,6 +1472,7 @@ void ldapu_propval_list_free (void *propval_list) { LDAPUPropValList_t *list = (LDAPUPropValList_t *)propval_list; ldapu_list_free(list, ldapu_propval_free); + free(list); } int ldapu_certmap_init (const char *config_file, commit 6b3b9009af5c85b0be9dea36aca86c93972a20a4 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Fri Sep 17 14:37:47 2010 -0700 Bug 630092 - (cov#12105) Resource leak in pwdscheme config code We don't free new_scheme if the password encode function is not set. We need to free new_scheme in this error case. diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index f36588c..b88a69a 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -1600,7 +1600,6 @@ config_set_pw_storagescheme( const char *attrname, char *value, char *errorbuf, } retVal = LDAP_OPERATIONS_ERROR; slapi_ch_free_string(&scheme_list); - free_pw_scheme(new_scheme); return retVal; } else if ( new_scheme->pws_enc == NULL ) @@ -1616,6 +1615,7 @@ config_set_pw_storagescheme( const char *attrname, char *value, char *errorbuf, } retVal = LDAP_UNWILLING_TO_PERFORM; slapi_ch_free_string(&scheme_list); + free_pw_scheme(new_scheme); return retVal; } commit e1702b5a0442013d829eb6e1f4a4c1b7eeb71516 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Fri Sep 17 13:31:56 2010 -0700 Bug 630092 - (cov#12116) Resource leak in ldclt code There is a chance that we leak the memory pointed to by the new variable if we never have one of the ldclt contexts point to it. We need to jump to the error label in this case to free the memory. diff --git a/ldap/servers/slapd/tools/ldclt/scalab01.c b/ldap/servers/slapd/tools/ldclt/scalab01.c index c0437b0..39345bd 100644 --- a/ldap/servers/slapd/tools/ldclt/scalab01.c +++ b/ldap/servers/slapd/tools/ldclt/scalab01.c @@ -465,6 +465,13 @@ scalab01_addLogin ( else { cur = s1ctx.list; + + /* If cur is NULL, we should just bail and free new. */ + if (cur == NULL) + { + goto error; + } + while (cur != NULL) { if (cur->next == NULL) @@ -472,15 +479,16 @@ scalab01_addLogin ( cur->next = new; cur = NULL; /* Exit loop */ } - else - if (cur->next->counter >= duration) - { + else if (cur->next->counter >= duration) + { new->next = cur->next; cur->next = new; cur = NULL; /* Exit loop */ - } - else + } + else + { cur = cur->next; + } } } }

13 years, 7 months

1
0
0 / 0

mod_nss nss_engine_io.c,1.10,1.11

by Rob Crittenden

Author: rcritten Update of /cvs/dirsec/mod_nss In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv26603 Modified Files: nss_engine_io.c Log Message: Fix endless read loop in some situations when handling POST data (#620856) This was discovered in the dogtag TPS subsystem. I haven't been able to duplicate it outside of that but it is trivial inside. This seems to fix it and brings the code closer to what mod_ssl does here as well. Index: nss_engine_io.c =================================================================== RCS file: /cvs/dirsec/mod_nss/nss_engine_io.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- nss_engine_io.c 11 Nov 2009 18:20:39 -0000 1.10 +++ nss_engine_io.c 17 Sep 2010 19:39:27 -0000 1.11 @@ -259,7 +259,8 @@ */ if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) || (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) { - PR_SetError(PR_WOULD_BLOCK_ERROR, 0); + nspr_filter_out_ctx_t *outctx = filter_ctx->outctx; + inctx->rc = outctx->rc; return -1; }

13 years, 7 months

1
0
0 / 0

11 commits - ldap/servers

by Nathan Kinder

ldap/servers/plugins/mep/mep.c | 15 +++++++++++---- ldap/servers/plugins/replication/repl5_protocol_util.c | 6 ++---- ldap/servers/plugins/replication/windows_protocol_util.c | 2 ++ ldap/servers/slapd/back-ldbm/import-threads.c | 4 ++++ ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c | 5 +++++ ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 1 + ldap/servers/slapd/tools/mmldif.c | 3 ++- 7 files changed, 27 insertions(+), 9 deletions(-) New commits: commit 2af08b37e8bcebb68ad85c8cc6195f8f6d3403f1 Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Thu Sep 16 14:35:12 2010 -0400 Bug 630092 - Coverity #15497: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The moddn_rename_children() has been modified to release child_entry_copies before it returns. diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c index c8b4903..e62a8b5 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c @@ -1598,6 +1598,7 @@ moddn_rename_children( } } slapi_ldap_value_free( newsuperiordns ); + slapi_ch_free((void**)&child_entry_copies); return retval; } commit f88490faa19daaf0e43ed27a7f936ea5cca4cda0 Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Thu Sep 16 14:29:30 2010 -0400 Bug 630092 - Coverity #15490: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The import_producer() has been modified to release ep when an error occured. diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c index b18bbce..c00e4b7 100644 --- a/ldap/servers/slapd/back-ldbm/import-threads.c +++ b/ldap/servers/slapd/back-ldbm/import-threads.c @@ -636,6 +636,7 @@ import_producer(void *param) ep = import_make_backentry(e, id); if ((ep == NULL) || (ep->ep_entry == NULL)) { slapi_entry_free(e); + backentry_free(&ep); goto error; } commit 1aab7c095a094f81916b7061a447570fde17407a Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Thu Sep 16 14:25:00 2010 -0400 Bug 630092 - Coverity #15487: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The index_set_entry_to_fifo() has been modified to release ep when the job is aborted. diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c index 9629a9e..b18bbce 100644 --- a/ldap/servers/slapd/back-ldbm/import-threads.c +++ b/ldap/servers/slapd/back-ldbm/import-threads.c @@ -805,6 +805,7 @@ index_set_entry_to_fifo(ImportWorkerInfo *info, Slapi_Entry *e, } if (job->flags & FLAG_ABORT) { + backentry_free(&ep); goto bail; } @@ -831,6 +832,7 @@ index_set_entry_to_fifo(ImportWorkerInfo *info, Slapi_Entry *e, DS_Sleep(sleeptime); } if (job->flags & FLAG_ABORT) { + backentry_free(&ep); goto bail; } commit 889b6d03b0e6ef0b315f78437dc7217e23ae63d0 Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Thu Sep 16 14:18:05 2010 -0400 Bug 630092 - Coverity #15485: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The _entryrdn_delete_key() has been modified to release tmpsrdn when an error occurs. diff --git a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c index 503d96b..4fbae15 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c @@ -2363,6 +2363,7 @@ retry_get0: "_entryrdn_delete_key: Failed to generate a parent " "elem: dn: %s\n", dn); slapi_ch_free_string(&dn); + slapi_rdn_free(&tmpsrdn); goto bail; } } else if (parentnrdn) { commit ba741cade5aef1cbb8ede386b7f2b85d57745d75 Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Thu Sep 16 12:38:32 2010 -0400 Bug 630092 - Coverity #15484: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The bulk_import_queue() has been modified to release ep when an error occurs. diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c index 171be08..9629a9e 100644 --- a/ldap/servers/slapd/back-ldbm/import-threads.c +++ b/ldap/servers/slapd/back-ldbm/import-threads.c @@ -2736,6 +2736,7 @@ static int bulk_import_queue(ImportJob *job, Slapi_Entry *entry) ep = import_make_backentry(entry, id); if ((ep == NULL) || (ep->ep_entry == NULL)) { import_abort_all(job, 1); + backentry_free( &ep ); /* release the backend wrapper, here */ PR_Unlock(job->wire_lock); return -1; } commit 4078b6113628c0a842a6caf7c54535ca95cacfd7 Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Thu Sep 16 11:56:49 2010 -0400 Bug 630092 - Coverity #15483: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The _entryrdn_index_read() has been modified to release tmpsrdn when an error occurs. diff --git a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c index f3474fa..503d96b 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c @@ -2560,6 +2560,7 @@ _entryrdn_index_read(backend *be, "_entryrdn_index_read: Failed to generate a new elem: " "dn: %s\n", dn); slapi_ch_free_string(&dn); + slapi_rdn_free(&tmpsrdn); goto bail; } slapi_rdn_free(&tmpsrdn); @@ -2627,6 +2628,9 @@ _entryrdn_index_read(backend *be, "_entryrdn_index_read: Failed to generate a new elem: " "dn: %s\n", dn); slapi_ch_free_string(&dn); + if (tmpsrdn != srdn) { + slapi_rdn_free(&tmpsrdn); + } goto bail; } if (tmpsrdn != srdn) { commit 753ee0945a968c849e37cc42971dc5a75bc4f0a8 Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Tue Sep 14 23:33:13 2010 -0400 Bug 630092 - Coverity #15482: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The windows_search_local_entry_by_uniqueid() has been modified to release the memory allocated for local_subtree. diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c index ff39fb5..3fe42cf 100644 --- a/ldap/servers/plugins/replication/windows_protocol_util.c +++ b/ldap/servers/plugins/replication/windows_protocol_util.c @@ -4607,6 +4607,8 @@ windows_search_local_entry_by_uniqueid(Private_Repl_Protocol *prp, const char *u { PR_smprintf_free(filter_string); } + + if (is_global) slapi_sdn_free(&local_subtree); return rc; } commit 8c524b4700238edba8a307a213ba81cb56a2b913 Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Tue Sep 14 22:54:03 2010 -0400 Bug 630092 - Coverity #15481: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The acquire_replica() has been modified to release current_csn before it returns. diff --git a/ldap/servers/plugins/replication/repl5_protocol_util.c b/ldap/servers/plugins/replication/repl5_protocol_util.c index 02b16b5..16032b2 100644 --- a/ldap/servers/plugins/replication/repl5_protocol_util.c +++ b/ldap/servers/plugins/replication/repl5_protocol_util.c @@ -121,6 +121,7 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) char *retoid = NULL; Slapi_DN *replarea_sdn = NULL; struct berval **ruv_bervals = NULL; + CSN *current_csn = NULL; PR_ASSERT(prp && prot_oid); @@ -176,8 +177,6 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) } else { - CSN *current_csn = NULL; - /* we don't want the timer to go off in the middle of an operation */ conn_cancel_linger(conn); @@ -276,8 +275,6 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) } /* JCMREPL - Need to extract the referrals from the RUV */ - csn_free(&current_csn); - current_csn = NULL; crc = conn_send_extended_operation(conn, prp->repl90consumer ? REPL_START_NSDS90_REPLICATION_REQUEST_OID : REPL_START_NSDS50_REPLICATION_REQUEST_OID, payload, @@ -522,6 +519,7 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) } error: + csn_free(&current_csn); if (NULL != ruv_bervals) ber_bvecfree(ruv_bervals); if (NULL != replarea_sdn) commit 2a267dc9c52ff4f641a6045e6c481ea881010975 Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Tue Sep 14 21:06:13 2010 -0400 Bug 630092 - Coverity #15479: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The mep_pre_op() is correctly allocating and releasing smods during modify operation. However, the "else" clause on line 1517 theoretically allows other operations to enter and cause resource leak. The code has been modified to reject other operations from operating against the config entries. diff --git a/ldap/servers/plugins/mep/mep.c b/ldap/servers/plugins/mep/mep.c index 72af428..cb329e4 100644 --- a/ldap/servers/plugins/mep/mep.c +++ b/ldap/servers/plugins/mep/mep.c @@ -1514,7 +1514,8 @@ mep_pre_op(Slapi_PBlock * pb, int modop) if (LDAP_CHANGETYPE_ADD == modop) { slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e); - } else { + + } else if (LDAP_CHANGETYPE_MODIFY == modop) { /* Fetch the entry being modified so we can * create the resulting entry for validation. */ Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn); @@ -1541,6 +1542,12 @@ mep_pre_op(Slapi_PBlock * pb, int modop) * to let the main server handle it. */ goto bailmod; } + + } else { + /* Refuse other operations. */ + ret = LDAP_UNWILLING_TO_PERFORM; + errstr = slapi_ch_smprintf("Not a valid operation."); + goto bail; } if (mep_parse_config_entry(e, 0) != 0) { commit 019789548c33ec6155a0cbebfe81c58bac4d1ed8 Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Tue Sep 14 20:36:37 2010 -0400 Bug 630092 - Coverity #15478: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The mep_pre_op() has been modified to release config_copy before it goes out of scope by moving mep_free_config_entry() out of the switch statement. diff --git a/ldap/servers/plugins/mep/mep.c b/ldap/servers/plugins/mep/mep.c index c0ce013..72af428 100644 --- a/ldap/servers/plugins/mep/mep.c +++ b/ldap/servers/plugins/mep/mep.c @@ -1631,11 +1631,11 @@ mep_pre_op(Slapi_PBlock * pb, int modop) /* Dispose of the test entry */ slapi_entry_free(test_entry); - - /* Free the config copy */ - mep_free_config_entry(&config_copy); break; } + + /* Free the config copy */ + mep_free_config_entry(&config_copy); } mep_config_unlock(); commit bef946f15f1e7f5694e8e044df3444d78b558d4f Author: Endi Sukma Dewata <edewata(a)redhat.com> Date: Tue Sep 14 20:25:53 2010 -0400 Bug 630092 - Coverity #12117: Resource leaks issues https://bugzilla.redhat.com/show_bug.cgi?id=630092 Description: The putvalue() has been modified to release b64 using freeEnc64() before it returns. diff --git a/ldap/servers/slapd/tools/mmldif.c b/ldap/servers/slapd/tools/mmldif.c index b364a19..6d62338 100644 --- a/ldap/servers/slapd/tools/mmldif.c +++ b/ldap/servers/slapd/tools/mmldif.c @@ -1245,7 +1245,7 @@ putvalue( int valuelen ) { - Enc64_t * b64; + Enc64_t * b64 = NULL; char * lptr; char line[255]; int return_code; @@ -1330,6 +1330,7 @@ putvalue( } return_bit: + if (b64) freeEnc64(b64); if (tag != NULL) { fputs("-\n", fh); }

13 years, 7 months

1
0
0 / 0

lib/libaccess

by Nathan Kinder

lib/libaccess/acl.tab.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) New commits: commit 8f1cdb3193c92c863c08a8836341ff54c9c17f7b Author: Nathan Kinder <nkinder(a)redhat.com> Date: Wed Sep 15 14:58:53 2010 -0700 Bug 630091 - (cov#12209) Use of uninitialized pointer in libaccess It looks like aclpvt is only initialized before use if __cplusplus or lint are defined. I see no harm in always initializing aclpvt to NULL, which will guarantee that we don't use an uninitialized pointer. diff --git a/lib/libaccess/acl.tab.cpp b/lib/libaccess/acl.tab.cpp index 6cab7d9..5f6610d 100644 --- a/lib/libaccess/acl.tab.cpp +++ b/lib/libaccess/acl.tab.cpp @@ -724,7 +724,7 @@ int acl_Parse(void) int acl_Parse() #endif { - register ACLSTYPE *aclpvt; /* top of value stack for $vars */ + register ACLSTYPE *aclpvt = 0; /* top of value stack for $vars */ #if defined(__cplusplus) || defined(lint) /* @@ -737,7 +737,6 @@ int acl_Parse() case 1: goto aclerrlab; case 2: goto aclnewstate; } - aclpvt = 0; #endif /*

13 years, 7 months

1
0
0 / 0

2 commits - ldap/servers

by Nathan Kinder

ldap/servers/plugins/acl/aclplugin.c | 6 ++++++ ldap/servers/slapd/tools/mmldif.c | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) New commits: commit b83f966e5ce1d5a3e70521b15f92b9f6ba988b1c Author: Nathan Kinder <nkinder(a)redhat.com> Date: Wed Sep 15 13:31:24 2010 -0700 Bug 630097 - (cov#15477) NULL dereference in ACL plug-in code We need to check if aclpb is NULL before dereferencing it. The proper thing to do here is to make aclplugin_preop_common() return an error to the LDAP client and to return 1 since the whole purpose of this function is to initialize the aclpb. Doing this will avoid the NULL dereference. diff --git a/ldap/servers/plugins/acl/aclplugin.c b/ldap/servers/plugins/acl/aclplugin.c index 873c524..d54250d 100644 --- a/ldap/servers/plugins/acl/aclplugin.c +++ b/ldap/servers/plugins/acl/aclplugin.c @@ -205,6 +205,12 @@ aclplugin_preop_common( Slapi_PBlock *pb ) aclpb = acl_get_aclpb ( pb, ACLPB_BINDDN_PBLOCK ); + if (aclpb == NULL) { + slapi_log_error( SLAPI_LOG_ACL, plugin_name, "aclplugin_preop_common: Error: aclpb is NULL\n" ); + slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL ); + return 1; + } + /* See if we have initialized already */ if ( aclpb->aclpb_state & ACLPB_INITIALIZED ) goto done; commit 470e2c70338440f69b0ab8fc02128fe5f204af3e Author: Nathan Kinder <nkinder(a)redhat.com> Date: Wed Sep 15 11:45:56 2010 -0700 Bug 630097 - (cov#11938) NULL dereference in mmldif There is a chance that a can be NULL, which we then dereference within the else block. We should not execute the else block if a is NULL. diff --git a/ldap/servers/slapd/tools/mmldif.c b/ldap/servers/slapd/tools/mmldif.c index 665452c..b364a19 100644 --- a/ldap/servers/slapd/tools/mmldif.c +++ b/ldap/servers/slapd/tools/mmldif.c @@ -1108,7 +1108,7 @@ addmodified(FILE * edf3, attrib1_t * attrib, record_t * first) } while (num_b <= tot_b && stricmp(attribname(b), attrname) == 0); fprintf(edf3, "-\n"); continue; - } else { + } else if (a != NULL) { /* a == b */ int nmods = 0; attrib_t *begin_b = b;

13 years, 7 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/slapd/back-ldbm/filterindex.c | 6 ++++++ ldap/servers/slapd/back-ldbm/ldbm_search.c | 1 + ldap/servers/slapd/back-ldbm/vlv.c | 5 +++-- ldap/servers/slapd/opshared.c | 5 +++++ ldap/servers/slapd/pagedresults.c | 25 +++++++++++++++++++++++++ ldap/servers/slapd/proto-slap.h | 2 ++ ldap/servers/slapd/result.c | 3 ++- ldap/servers/slapd/slap.h | 4 ++++ ldap/servers/slapd/slapi-plugin.h | 1 + 9 files changed, 49 insertions(+), 3 deletions(-) New commits: commit 529b056b2fda91263730da1da8ac9b42b54b72f4 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Tue Sep 14 10:32:46 2010 -0700 Bug 558099 - Enhancement request: Log more information about the search result being a paged one https://bugzilla.redhat.com/show_bug.cgi?id=558099 Description: searched entry count is logged in the access log as (nentries=<num>). When RFC 2696 page results control is passed, the nentries logs the page size instead of the total searched count. andrey.ivanov(a)polytechnique.fr proposed to log the control info as follows: [..] conn=# op=#RESULT err=0 tag=101 nentries=# etime=0 notes=P This patch implemented the spec. Also, there was a bug regarding unindexed note "notes=U" when the paged results control is received. Only the first page logs it, but not the rest. The bug was fixed. diff --git a/ldap/servers/slapd/back-ldbm/filterindex.c b/ldap/servers/slapd/back-ldbm/filterindex.c index 03123ca..e237749 100644 --- a/ldap/servers/slapd/back-ldbm/filterindex.c +++ b/ldap/servers/slapd/back-ldbm/filterindex.c @@ -287,6 +287,7 @@ ava_candidates( if ( unindexed ) { unsigned int opnote = SLAPI_OP_NOTE_UNINDEXED; slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote ); + pagedresults_set_unindexed( pb->pb_conn ); } /* We don't use valuearray_free here since the valueset, berval @@ -318,6 +319,7 @@ ava_candidates( if ( unindexed ) { unsigned int opnote = SLAPI_OP_NOTE_UNINDEXED; slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote ); + pagedresults_set_unindexed( pb->pb_conn ); } valuearray_free( &ivals ); LDAPDebug( LDAP_DEBUG_TRACE, "<= ava_candidates %lu\n", @@ -353,6 +355,7 @@ presence_candidates( if ( unindexed ) { unsigned int opnote = SLAPI_OP_NOTE_UNINDEXED; slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote ); + pagedresults_set_unindexed( pb->pb_conn ); } if (idl != NULL && ALLIDS(idl) && strcasecmp(type, "nscpentrydn") == 0) { @@ -458,6 +461,7 @@ extensible_candidates( unsigned int opnote = SLAPI_OP_NOTE_UNINDEXED; slapi_pblock_set( glob_pb, SLAPI_OPERATION_NOTES, &opnote ); + pagedresults_set_unindexed( glob_pb->pb_conn ); } if (idl2 == NULL) { @@ -864,6 +868,7 @@ substring_candidates( attr_done(&sattr); if ( ivals == NULL || *ivals == NULL ) { slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote ); + pagedresults_set_unindexed( pb->pb_conn ); LDAPDebug( LDAP_DEBUG_TRACE, "<= sub_candidates ALLIDS (no keys)\n", 0, 0, 0 ); return( idl_allids( be ) ); @@ -876,6 +881,7 @@ substring_candidates( idl = keys2idl( be, type, indextype_SUB, ivals, err, &unindexed ); if ( unindexed ) { slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote ); + pagedresults_set_unindexed( pb->pb_conn ); } valuearray_free( &ivals ); diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c index 0f97d86..9a8dd0f 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_search.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c @@ -675,6 +675,7 @@ ldbm_back_search( Slapi_PBlock *pb ) } slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote ); + pagedresults_set_unindexed( pb->pb_conn ); } sr->sr_candidates = candidates; diff --git a/ldap/servers/slapd/back-ldbm/vlv.c b/ldap/servers/slapd/back-ldbm/vlv.c index 0d28240..163d8a6 100644 --- a/ldap/servers/slapd/back-ldbm/vlv.c +++ b/ldap/servers/slapd/back-ldbm/vlv.c @@ -1150,8 +1150,9 @@ vlv_search_build_candidate_list(Slapi_PBlock *pb, const Slapi_DN *base, int *vlv if((pi=vlv_find_search(be, base, scope, fstr, sort_control)) == NULL) { unsigned int opnote = SLAPI_OP_NOTE_UNINDEXED; PR_RWLock_Unlock(be->vlvSearchList_lock); - slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote ); - rc = VLV_FIND_SEARCH_FAILED; + slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote ); + pagedresults_set_unindexed( pb->pb_conn ); + rc = VLV_FIND_SEARCH_FAILED; } else if((*vlv_rc=vlvIndex_accessallowed(pi, pb)) != LDAP_SUCCESS) { PR_RWLock_Unlock(be->vlvSearchList_lock); rc = VLV_ACCESS_DENIED; diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c index cd33d57..858bc8f 100644 --- a/ldap/servers/slapd/opshared.c +++ b/ldap/servers/slapd/opshared.c @@ -372,6 +372,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result) rc = pagedresults_parse_control_value(ctl_value, &pagesize, &curr_search_count); if (LDAP_SUCCESS == rc) { + unsigned int opnote = SLAPI_OP_NOTE_SIMPLEPAGED; operation->o_flags |= OP_FLAG_PAGED_RESULTS; pr_be = pagedresults_get_current_be(pb->pb_conn); pr_search_result = pagedresults_get_search_result(pb->pb_conn); @@ -379,6 +380,10 @@ op_shared_search (Slapi_PBlock *pb, int send_result) pagedresults_get_search_result_count(pb->pb_conn); estimate = pagedresults_get_search_result_set_size_estimate(pb->pb_conn); + if (pagedresults_get_unindexed(pb->pb_conn)) { + opnote |= SLAPI_OP_NOTE_UNINDEXED; + } + slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote ); } else { /* parse paged-results-control failed */ if (iscritical) { /* return an error since it's critical */ diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c index fdda938..616fd11 100644 --- a/ldap/servers/slapd/pagedresults.c +++ b/ldap/servers/slapd/pagedresults.c @@ -301,6 +301,31 @@ pagedresults_set_with_sort(Connection *conn, int flags) } int +pagedresults_get_unindexed(Connection *conn) +{ + int flags = 0; + if (conn) { + PR_Lock(conn->c_mutex); + flags = conn->c_flags&CONN_FLAG_PAGEDRESULTS_UNINDEXED; + PR_Unlock(conn->c_mutex); + } + return flags; +} + +int +pagedresults_set_unindexed(Connection *conn) +{ + int rc = -1; + if (conn) { + PR_Lock(conn->c_mutex); + conn->c_flags |= CONN_FLAG_PAGEDRESULTS_UNINDEXED; + PR_Unlock(conn->c_mutex); + rc = 0; + } + return rc; +} + +int pagedresults_get_sort_result_code(Connection *conn) { int code = 0; diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 6524c80..6f5ae54 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -1372,6 +1372,8 @@ int pagedresults_get_search_result_set_size_estimate(Connection *conn); int pagedresults_set_search_result_set_size_estimate(Connection *conn, int cnt); int pagedresults_get_with_sort(Connection *conn); int pagedresults_set_with_sort(Connection *conn, int flags); +int pagedresults_get_unindexed(Connection *conn); +int pagedresults_set_unindexed(Connection *conn); int pagedresults_get_sort_result_code(Connection *conn); int pagedresults_set_sort_result_code(Connection *conn, int code); int pagedresults_set_timelimit(Connection *conn, time_t timelimit); diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c index ca42de5..218b7b9 100644 --- a/ldap/servers/slapd/result.c +++ b/ldap/servers/slapd/result.c @@ -1576,7 +1576,8 @@ struct slapi_note_map { }; static struct slapi_note_map notemap[] = { - { SLAPI_OP_NOTE_UNINDEXED, "U" }, + { SLAPI_OP_NOTE_UNINDEXED, "U" }, + { SLAPI_OP_NOTE_SIMPLEPAGED, "P" } }; #define SLAPI_NOTEMAP_COUNT ( sizeof(notemap) / sizeof(struct slapi_note_map)) diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 8a40592..1f4afd9 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -1392,6 +1392,10 @@ typedef struct conn { #define CONN_FLAG_PAGEDRESULTS_WITH_SORT 64 /* paged results control is * sent with server side sorting */ + +#define CONN_FLAG_PAGEDRESULTS_UNINDEXED 128 /* If the search is unindexed, + * store the info in c_flags + */ #define CONN_GET_SORT_RESULT_CODE (-1) #define START_TLS_OID "1.3.6.1.4.1.1466.20037" diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h index 3dd92e0..893359c 100644 --- a/ldap/servers/slapd/slapi-plugin.h +++ b/ldap/servers/slapd/slapi-plugin.h @@ -5854,6 +5854,7 @@ typedef struct slapi_plugindesc { /* Extra notes to be logged within access log RESULT lines */ #define SLAPI_OPERATION_NOTES 57 #define SLAPI_OP_NOTE_UNINDEXED 0x01 +#define SLAPI_OP_NOTE_SIMPLEPAGED 0x02 /* Allows controls to be passed before operation object is created */ #define SLAPI_CONTROLS_ARG 58

13 years, 7 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/slapd/modrdn.c | 48 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 46 insertions(+), 2 deletions(-) New commits: commit 20d1e7c8e9280e2175ca843f60a50addc096f134 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Tue Sep 14 18:05:56 2010 -0700 Bug 625014 - SubTree Renames: ModRDN operation fails and the server hangs if the entry is moved to "under" the same DN. https://bugzilla.redhat.com/show_bug.cgi?id=625014 Description: adding a check if the newsuperior is the entry itself or its descendent. If it is, modrdn returns LDAP_UNWILLING_TO_PERFORM. diff --git a/ldap/servers/slapd/modrdn.c b/ldap/servers/slapd/modrdn.c index 4cca3c9..e8084c2 100644 --- a/ldap/servers/slapd/modrdn.c +++ b/ldap/servers/slapd/modrdn.c @@ -79,6 +79,11 @@ do_modrdn( Slapi_PBlock *pb ) int err = 0, deloldrdn = 0; ber_len_t len = 0; size_t dnlen = 0; + char *newdn = NULL; + char *parent = NULL; + Slapi_DN sdn = {0}; + Slapi_DN snewdn = {0}; + Slapi_DN snewsuperior = {0}; LDAPDebug( LDAP_DEBUG_TRACE, "do_modrdn\n", 0, 0, 0 ); @@ -221,6 +226,38 @@ do_modrdn( Slapi_PBlock *pb ) } /* + * If newsuperior is myself or my descendent, the modrdn should fail. + * Note: need to check the case newrdn is given, and newsuperior + * uses the newrdn, as well. + */ + /* Both newrdn and dn are already normalized. */ + parent = slapi_dn_parent(dn); + newdn = slapi_ch_smprintf("%s,%s", newrdn, parent); + slapi_sdn_set_dn_byref(&sdn, dn); + slapi_sdn_set_dn_byref(&snewdn, newdn); + slapi_sdn_set_dn_byref(&snewsuperior, newsuperior); + if (0 == slapi_sdn_compare(&sdn, &snewsuperior) || + 0 == slapi_sdn_compare(&snewdn, &snewsuperior)) { + op_shared_log_error_access(pb, "MODRDN", rawnewsuperior, + "new superior is identical to the entry dn"); + send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, + "new superior is identical to the entry dn", 0, NULL); + goto free_and_return; + } + if (slapi_sdn_issuffix(&snewsuperior, &sdn) || + slapi_sdn_issuffix(&snewsuperior, &snewdn)) { + /* E.g., + * newsuperior: ou=sub,ou=people,dc=example,dc=com + * dn: ou=people,dc=example,dc=com + */ + op_shared_log_error_access(pb, "MODRDN", rawnewsuperior, + "new superior is descendent of the entry"); + send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, + "new superior is descendent of the entry", 0, NULL); + goto free_and_return; + } + + /* * in LDAPv3 there can be optional control extensions on * the end of an LDAPMessage. we need to read them in and * pass them to the backend. @@ -242,12 +279,19 @@ do_modrdn( Slapi_PBlock *pb ) slapi_pblock_set( pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn ); op_shared_rename(pb, 1 /* pass in ownership of string arguments */ ); - return; + goto ok_return; free_and_return: slapi_ch_free_string( &dn ); slapi_ch_free_string( &newrdn ); slapi_ch_free_string( &newsuperior ); +ok_return: + slapi_sdn_done(&sdn); + slapi_sdn_done(&snewdn); + slapi_sdn_done(&snewsuperior); + slapi_ch_free_string(&parent); + slapi_ch_free_string(&newdn); + return; } @@ -385,7 +429,7 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args) char **rdns; int deloldrdn; Slapi_Backend *be = NULL; - Slapi_DN sdn; + Slapi_DN sdn = {0}; Slapi_Mods smods; char dnbuf[BUFSIZ]; char newrdnbuf[BUFSIZ];

13 years, 7 months

1
0
0 / 0

18 commits - ldap/servers ldap/systools lib/libaccess lib/libsi18n

by Nathan Kinder

ldap/servers/plugins/acl/acllas.c | 4 ldap/servers/plugins/cos/cos_cache.c | 10 + ldap/servers/plugins/dna/dna.c | 2 ldap/servers/plugins/memberof/memberof.c | 8 - ldap/servers/plugins/mep/mep.c | 1 ldap/servers/plugins/referint/referint.c | 4 ldap/servers/plugins/replication/repl5_ruv.c | 8 - ldap/servers/plugins/replication/repl5_total.c | 2 ldap/servers/plugins/usn/usn.c | 2 ldap/servers/slapd/back-ldbm/dbhelp.c | 8 - ldap/servers/slapd/back-ldbm/import-threads.c | 4 ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c | 7 ldap/servers/slapd/schema.c | 4 ldap/servers/slapd/tools/mmldif.c | 2 ldap/systools/idsktune.c | 5 lib/libaccess/acltools.cpp | 196 ------------------------- lib/libsi18n/reshash.c | 4 17 files changed, 49 insertions(+), 222 deletions(-) New commits: commit 55f94d2a6a4310bd1cd6bacc71fc4ce50b75a9fa Author: Nathan Kinder <nkinder(a)redhat.com> Date: Wed Sep 15 08:55:22 2010 -0700 Bug 630097 - (cov#15509) NULL dereference in idsktune If strdup() fails, the cmd variable will be NULL. We dereference it without checking it strdup() was successful. We should check if cmd is NULL before dereferencing it. diff --git a/ldap/systools/idsktune.c b/ldap/systools/idsktune.c index cd4934d..40f1cf5 100644 --- a/ldap/systools/idsktune.c +++ b/ldap/systools/idsktune.c @@ -1108,6 +1108,11 @@ linux_check_release(void) char osl[128]; char *cmd = strdup("/bin/uname -r"); + if (cmd == NULL) { + printf("ERROR: Unable to allocate memory\n"); + goto done; + } + if (flag_html) printf("<P>\n"); if (flag_debug) printf("DEBUG : %s\n",cmd); fp = popen(cmd,"r"); commit 672f38f84a545678c7c84dfd723de292903ee19a Author: Nathan Kinder <nkinder(a)redhat.com> Date: Wed Sep 15 08:50:31 2010 -0700 Bug 630097 - (cov#15507,15508) NULL dereference in entryrdn code In entryrdn_compare_dups(), we dereference the a and b parameters when initializing the elem_a and elem_b variables. We later perform NULL checks on both a and b, but a NULL would have triggered a crash. We should not dereference a or b until after the NULL checks are performed. diff --git a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c index 2077999..f3474fa 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c @@ -173,8 +173,8 @@ entryrdn_get_noancestorid() int entryrdn_compare_dups(DB *db, const DBT *a, const DBT *b) { - rdn_elem *elem_a = (rdn_elem *)a->data; - rdn_elem *elem_b = (rdn_elem *)b->data; + rdn_elem *elem_a = NULL; + rdn_elem *elem_b = NULL; int delta = 0; if (NULL == a) { @@ -187,6 +187,9 @@ entryrdn_compare_dups(DB *db, const DBT *a, const DBT *b) return 1; } + elem_a = (rdn_elem *)a->data; + elem_b = (rdn_elem *)b->data; + delta = strcmp((char *)elem_a->rdn_elem_nrdn_rdn, (char *)elem_b->rdn_elem_nrdn_rdn); commit f78a37579df8f9c60b4742019231b0dfa49a87a9 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Wed Sep 15 08:28:17 2010 -0700 Bug 630097 - (cov#15506) NULL dereference in dblayer code The first parameter of dblayer_set_env_debugging() is dereferenced inside of that function without NULL checking. We pass the env variable to this function without first checking if it is NULL. We should move the existing NULL check of env up to the top of the dblayer_copy_file_keybybey() function. diff --git a/ldap/servers/slapd/back-ldbm/dbhelp.c b/ldap/servers/slapd/back-ldbm/dbhelp.c index f1f232a..93a0de8 100644 --- a/ldap/servers/slapd/back-ldbm/dbhelp.c +++ b/ldap/servers/slapd/back-ldbm/dbhelp.c @@ -65,15 +65,15 @@ static int dblayer_copy_file_keybykey(DB_ENV *env, char *source_file_name, char LDAPDebug( LDAP_DEBUG_TRACE, "=> dblayer_copy_file_keybykey\n", 0, 0, 0 ); - if (priv->dblayer_file_mode) - mode = priv->dblayer_file_mode; - dblayer_set_env_debugging(env, priv); - if (!env) { LDAPDebug(LDAP_DEBUG_ANY, "dblayer_copy_file_keybykey, Out of memory\n", 0, 0, 0); goto error; } + if (priv->dblayer_file_mode) + mode = priv->dblayer_file_mode; + dblayer_set_env_debugging(env, priv); + /* Open the source file */ retval = db_create(&source_file, env, 0); if (retval) { commit 6319623ea54435610f573e1a1d7b9bbe7b16e878 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Tue Sep 14 15:45:04 2010 -0700 Bug 630097 - (cov#15505) NULL dereference in memberOf code The config parameter is dereferenced before checking if it is NULL early in memberof_modop_one_replace_r(). Later in the function, we first check if config is NULL before dereferencing it. We should check if config is NULL at the beginning of the function and bail out before we dereference it. diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c index 5294892..50da09a 100644 --- a/ldap/servers/plugins/memberof/memberof.c +++ b/ldap/servers/plugins/memberof/memberof.c @@ -980,6 +980,12 @@ int memberof_modop_one_replace_r(Slapi_PBlock *pb, MemberOfConfig *config, Slapi_Value *to_dn_val = slapi_value_new_string(op_to); Slapi_Value *this_dn_val = slapi_value_new_string(op_this); + if (config == NULL) { + slapi_log_error( SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, + "memberof_modop_one_replace_r: NULL config parameter"); + goto bail; + } + /* determine if this is a group op or single entry */ op_to_sdn = slapi_sdn_new_dn_byref(op_to); slapi_search_internal_get_entry( op_to_sdn, config->groupattrs, @@ -1076,7 +1082,7 @@ int memberof_modop_one_replace_r(Slapi_PBlock *pb, MemberOfConfig *config, "memberof_modop_one_replace_r: %s %s in %s\n" ,op_str, op_this, op_to); - if(config && config->group_filter && !slapi_filter_test_simple(e, config->group_filter)) + if(config->group_filter && !slapi_filter_test_simple(e, config->group_filter)) { /* group */ Slapi_Value *ll_dn_val = 0; commit 50df94f549ae75669c071e610d08ffa9ed9e841c Author: Nathan Kinder <nkinder(a)redhat.com> Date: Tue Sep 14 14:53:43 2010 -0700 Bug 630097 - (cov#15473) NULL dereference in ResHashCreate() If there is a problem allocating pResHash, we jump to the error label. The error label then dereferences pResHash to do a deep free, but it doesn't check if pResHash is NULL first. We need to check if pResHash is NULL before dereferencing it. diff --git a/lib/libsi18n/reshash.c b/lib/libsi18n/reshash.c index 4134b2f..6e3572f 100644 --- a/lib/libsi18n/reshash.c +++ b/lib/libsi18n/reshash.c @@ -276,8 +276,8 @@ ResHash * ResHashCreate(char * name) goto done; error: - if (pResHash->treelist && pResHash->treelist->vlist) free(pResHash->treelist->vlist); - if (pResHash->treelist) free(pResHash->treelist); + if (pResHash && pResHash->treelist && pResHash->treelist->vlist) free(pResHash->treelist->vlist); + if (pResHash && pResHash->treelist) free(pResHash->treelist); if (pResHash) free(pResHash); return NULL; commit b95332620490521a66b248e7e3840507f86705a9 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Tue Sep 14 13:53:33 2010 -0700 Bug 630097 - (cov#15465) Null dereference in USN code At the end of the for loop, be will be NULL if we never find a valid be->be_usn_counter. This will cause us to dereference a NULL pointer at the next if statement after the for loop. We need to check if be is NULL before dereferencing it. diff --git a/ldap/servers/plugins/usn/usn.c b/ldap/servers/plugins/usn/usn.c index 914c7ac..4ad9e66 100644 --- a/ldap/servers/plugins/usn/usn.c +++ b/ldap/servers/plugins/usn/usn.c @@ -582,7 +582,7 @@ usn_rootdse_search(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, break; } } - if (be->be_usn_counter) { + if (be && be->be_usn_counter) { /* get a next USN counter from be_usn_counter; * then minus 1 from it */ PR_snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" NSPRI64 "d", commit 09653dc9d5719d171d71c2b92c9fe8bff94ed4b6 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Tue Sep 14 11:43:09 2010 -0700 Bug 630097 - (cov#15464) NULL dereference in repl code If the attr parameter that is passed to my_ber_scanf_attr() is NULL, we jump to the loser label where we clean up memory we may have allocated. We dereference attr without first checking if it is NULL in this clean-up code. We need to check if attr is NULL before dereferencing it. diff --git a/ldap/servers/plugins/replication/repl5_total.c b/ldap/servers/plugins/replication/repl5_total.c index 5bf3742..d2987cd 100644 --- a/ldap/servers/plugins/replication/repl5_total.c +++ b/ldap/servers/plugins/replication/repl5_total.c @@ -689,7 +689,7 @@ my_ber_scanf_attr (BerElement *ber, Slapi_Attr **attr, PRBool *deleted) return 0; loser: - if (*attr) + if (attr && *attr) slapi_attr_free (attr); if (value) slapi_value_free (&value); commit 30d6b1ea5c6a7f1f774bb86bea0d995cd9e45f20 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Tue Sep 14 11:27:44 2010 -0700 Bug 630097 - (cov#15463) Remove NULL check in referint plugin Coverity believes that search_result_pb can be NULL since we check if it is NULL before freeing the internal search results. If this was true, there would be a NULL dereference issue when we call slapi_pblock_get(). We are guaranteed that search_result_pb is non-NULL after slapi_pblock_new() is called since the server would exit if it was unable to allocate memory. We should remove the NULL check before freeing the internal search results. diff --git a/ldap/servers/plugins/referint/referint.c b/ldap/servers/plugins/referint/referint.c index 32249e9..e22a018 100644 --- a/ldap/servers/plugins/referint/referint.c +++ b/ldap/servers/plugins/referint/referint.c @@ -769,9 +769,7 @@ update_integrity(char **argv, char *origDN, slapi_ch_free_string(&filter); } - if (search_result_pb) { - slapi_free_search_results_internal(search_result_pb); - } + slapi_free_search_results_internal(search_result_pb); } } /* if got here, then everything good rc = 0 */ commit 94b265fb509ac194dec8e51b6d02f7fd88673aac Author: Nathan Kinder <nkinder(a)redhat.com> Date: Tue Sep 14 11:14:53 2010 -0700 Bug 630097 - (cov#15462) NULL dereference in mep_modrdn_post_op() If we fail to fetch the postop entry for a modrdn operation in the Managed Entry Plug-in, we end up passing a NULL pointer to slapi_entry_attr_get_charptr(). This function dereferences the entry without checking if it is NULL first. The mep_modrdn_post_op() function should just return if we are unable to fetch the postop entry. I believe that this issue could trigger a crash when chain-on-update is configured and a modrdn operation is chained. There is no postop entry in this case. diff --git a/ldap/servers/plugins/mep/mep.c b/ldap/servers/plugins/mep/mep.c index 716b39b..c0ce013 100644 --- a/ldap/servers/plugins/mep/mep.c +++ b/ldap/servers/plugins/mep/mep.c @@ -2021,6 +2021,7 @@ mep_modrdn_post_op(Slapi_PBlock *pb) slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM, "mep_modrdn_post_op: Error " "retrieving post-op entry\n"); + return 0; } if ((old_dn = mep_get_dn(pb))) { commit b28a60185cd54f149e77a1f34ffbfd676f5f2342 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Tue Sep 14 11:00:59 2010 -0700 Bug 630097 - (cov#15461) Remove unnecessary NULL check in DNA It is not necessary to check if config_entry->types is NULL since it is guaranteed to be non-NULL by dna_parse_config_entry() when it creates config_entry. Coverity thinks that a NULL derefence is possible since we are checking if config_entry->types is NULL. We should remove this NULL check. diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c index 837b674..e60f371 100644 --- a/ldap/servers/plugins/dna/dna.c +++ b/ldap/servers/plugins/dna/dna.c @@ -2861,7 +2861,7 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype) if (LDAP_CHANGETYPE_ADD == modtype) { - if (config_entry->types && dna_is_multitype_range(config_entry)) { + if (dna_is_multitype_range(config_entry)) { /* For a multi-type range, we only generate a value * for types where the magic value is set. We do not * generate a value for missing types. */ commit a250d242395d089e7e8a2b2a3d07394eaa49d4d4 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Tue Sep 14 10:27:43 2010 -0700 Bug 630097 - (cov#15460) NULL deference in ACL URL code When parsing a URL without a host or port present, we can dereference a NULL pointer. We need to check if hostport is NULL before dereferencing it. diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c index a41487e..6271fb1 100644 --- a/ldap/servers/plugins/acl/acllas.c +++ b/ldap/servers/plugins/acl/acllas.c @@ -3598,7 +3598,7 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url normed = slapi_ch_smprintf("%s%s%s%s%s", (prefix_len==LDAP_URL_prefix_len)? LDAP_URL_prefix_core:LDAPS_URL_prefix_core, - hostport, dn, p?"?":"",p?p+1:""); + hostport?hostport:"", dn, p?"?":"",p?p+1:""); if (p) { *p = Q; /* put the Q back in rawdn which will un-null terminate the DN part */ } @@ -3606,7 +3606,7 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url /* dn was allocated in slapi_dn_normalize_ext */ slapi_ch_free_string(&dn); } - if ('/' != *hostport) { + if (hostport && ('/' != *hostport)) { slapi_ch_free_string(&hostport); } rc = slapi_ldap_url_parse(normed, &ludp, 1, NULL); commit b35cc7e0ff07244f8e4eb2a0a41435ce83174c39 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Tue Sep 14 09:21:36 2010 -0700 Bug 630097 - (cov#12182,12183) NULL dereference in import code The entry pointer that is passed to slapi_entry_attr_find() is dereferenced by that function without a check for NULL. We should check if ep->ep_entry is NULL before calling slapi_entry_attr_find(). diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c index 1d49054..171be08 100644 --- a/ldap/servers/slapd/back-ldbm/import-threads.c +++ b/ldap/servers/slapd/back-ldbm/import-threads.c @@ -634,7 +634,7 @@ import_producer(void *param) } ep = import_make_backentry(e, id); - if (!ep) { + if ((ep == NULL) || (ep->ep_entry == NULL)) { slapi_entry_free(e); goto error; } @@ -2734,7 +2734,7 @@ static int bulk_import_queue(ImportJob *job, Slapi_Entry *entry) /* make into backentry */ ep = import_make_backentry(entry, id); - if (!ep) { + if ((ep == NULL) || (ep->ep_entry == NULL)) { import_abort_all(job, 1); PR_Unlock(job->wire_lock); return -1; commit ff41170172f721a651eb3e00f676b7228f611b9d Author: Nathan Kinder <nkinder(a)redhat.com> Date: Tue Sep 14 08:35:47 2010 -0700 Bug 630097 - (cov#12148) NULL dereference in ruvInit() We need to check if ruv is NULL before dereferencing it. The assertion will not help us here in an optimized build, so an explicit NULL check will keep us from crashing. diff --git a/ldap/servers/plugins/replication/repl5_ruv.c b/ldap/servers/plugins/replication/repl5_ruv.c index 78f7a53..d2917ac 100644 --- a/ldap/servers/plugins/replication/repl5_ruv.c +++ b/ldap/servers/plugins/replication/repl5_ruv.c @@ -1443,6 +1443,10 @@ ruvInit (RUV **ruv, int initCount) { PR_ASSERT (ruv); + if (ruv == NULL) { + return RUV_NSPR_ERROR; + } + /* allocate new RUV */ *ruv = (RUV *)slapi_ch_calloc (1, sizeof (RUV)); @@ -1457,9 +1461,7 @@ ruvInit (RUV **ruv, int initCount) { slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "ruvInit: failed to create lock\n"); - if (*ruv) { - dl_free(&(*ruv)->elements); - } + dl_free(&(*ruv)->elements); slapi_ch_free((void**)ruv); return RUV_NSPR_ERROR; } commit 3571d7a5855cb1c222f83f98e03c340185e43152 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Mon Sep 13 15:05:52 2010 -0700 Bug 630097 - (cov#12143) NULL dereference in cos cache code The tmpDn pointer is deferenced before checking if it is NULL. We need to check if it is NULL first. diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c index fe8f534..e20fd0d 100644 --- a/ldap/servers/plugins/cos/cos_cache.c +++ b/ldap/servers/plugins/cos/cos_cache.c @@ -1383,7 +1383,7 @@ static int cos_cache_add_defn( int ret = 0; int tmplCount = 0; cosDefinitions *theDef = 0; - cosAttrValue *pTmpTmplDn = *tmpDn; + cosAttrValue *pTmpTmplDn = 0; cosAttrValue *pDummyAttrVal = 0; cosAttrValue *pAttrsIter = 0; cosAttributes *pDummyAttributes = 0; @@ -1396,9 +1396,15 @@ static int cos_cache_add_defn( ret = -1; goto out; } - pSpecsIter = *spec; + if (!tmpDn) { + LDAPDebug( LDAP_DEBUG_ANY, "missing tmpDn\n",0,0,0); + ret = -1; + goto out; + } + pTmpTmplDn = *tmpDn; + /* we don't want cosspecifiers that can be supplied by the same scheme */ while( pSpecsIter ) { commit 562f39848cdb2486d97cc730607337f7bd5e566c Author: Nathan Kinder <nkinder(a)redhat.com> Date: Mon Sep 13 14:56:16 2010 -0700 Bug 630097 - (cov#11964) Remove dead code from libaccess The libaccess library has some dead functions it it. One of these functions was flagged as having a NULL pointer dereference issue by Coverity. The problem function is unused, so it should be removed. There are also a number of other unused functions in the same source file that should be removed. diff --git a/lib/libaccess/acltools.cpp b/lib/libaccess/acltools.cpp index 4e1274e..69d0c2e 100644 --- a/lib/libaccess/acltools.cpp +++ b/lib/libaccess/acltools.cpp @@ -1509,202 +1509,6 @@ Symbol_t *sym; return(ACLERRUNDEF); } -/* - * local function: translate string to lower case - * return <0: fail - * 0: succeed - */ -int -open_file_buf(FILE ** file, char * filename, char *mode, char ** buf, long * size) -{ - int rv = 0; - long cur = 0; - long in = 0; - struct stat fi; - - if (filename==NULL || mode==NULL) { - rv = ACLERROPEN; - goto open_cleanup; - } - - if ((*file=fopen(filename,mode))==NULL) { - rv = ACLERROPEN; - goto open_cleanup; - } - - if (system_stat(filename, &fi)==-1) { - rv = ACLERROPEN; - goto open_cleanup; - } - - *size = fi.st_size; - - if ((*buf=(char *)PERM_MALLOC(*size+1))==NULL) { - rv = ACLERRNOMEM; - goto open_cleanup; - } - - - rv = 0; - while (cur<*size) { - in=fread(&(*buf)[cur], 1, *size, *file); - cur = cur+in; - if (feof(*file)) { - break; - } - if (ferror(*file)) { - rv = ACLERRIO; - break; - } - } - if (rv==0) - (*buf)[cur] = 0; - -open_cleanup: - if (rv<0) { - if (*file) - fclose(*file); - if (*buf) { - PERM_FREE(*buf); - *buf = NULL; - } - } - return rv; -} - - -/* - * local function: writes buf to disk and close the file - */ -void -close_file_buf(FILE * file, char * filename, char * mode, char * buf) -{ - if (file==NULL) - return; - fclose(file); - if (strchr(mode, 'w')!=NULL || strchr(mode, 'a')!=NULL) { - file = fopen(filename, "wb"); - fwrite(buf,1,strlen(buf),file); - fclose(file); - } - if (*buf) { - PERM_FREE(buf); - } -} - - -/* - * local function: translate string to lower case - */ -char * -str_tolower(char * string) -{ - register char * p = string; - for (; *p; p++) - *p = tolower(*p); - return string; -} - -/* - * local function: get the first name appear in block - * return: 0 : not found, - * 1 : found - */ -int -acl_get_first_name(char * block, char ** name, char ** next) -{ - char bounds[] = "\t \"\';"; - char boundchar; - char *p=NULL, *q=NULL, *start=NULL, *end=NULL; - - if (block==NULL) - return 0; -try_next: - if ((p=strstr(block, "acl"))!=NULL) { - - // check if this "acl" is the first occurance in this line. - for (q=p-1; ((q>=block) && *q!='\n'); q--) { - if (strchr(" \t",*q)==NULL) { - // if not, try next; - block = p+3; - goto try_next; - } - } - - p+=3; - while (strchr(bounds,*p)&&(*p!=0)) - p++; - if (*p==0) - return 0; - boundchar = *(p-1); - start = p; - while ((boundchar!=*p)&&(*p!=0)&&(*p!=';')) - p++; - if (*p==0) - return 0; - end = p; - *name = (char *)PERM_MALLOC(end-start+1); - strncpy(*name, start, (end-start)); - (*name)[end-start]=0; - *next = end; - return 1; - } - return 0; -} - -/* - * local function: find the pointer to acl string from the given block - */ -char * -acl_strstr(char * block, char * aclname) -{ - const char set[] = "\t \"\';"; - char * name, * rstr = NULL; - char * lowerb = block; - int found = 0; - - if (block==NULL||aclname==NULL) - return NULL; - - while ((name = strstr(block, aclname))!=NULL && !found) { - if (name>lowerb) { // This should be true, just in case - if ((strchr(set,name[-1])!=0) && (strchr(set,name[strlen(aclname)])!=0)) { - // the other 2 sides are in boundary set, that means, this is an exact match. - while (&name[-1]>=lowerb) { - name --; - if (strchr(set, *name)==0) - break; // should point to 'l' - } - - if (name==lowerb) - return NULL; - - if ((name-2)>=lowerb) - if ((name[-2]=='a') && (name[-1]=='c') && (*name=='l')) { - name -= 2; // name point to 'a' - rstr = name; - while (TRUE) { - if (name==lowerb) { - found = 1; - break; - } - else if (name[-1]==' '||name[-1]=='\t') - name --; - else if (name[-1]=='\n') { - found = 1; - break; - } - else - break; // acl is not at the head, there are other chars. - } - } - } - block = name + strlen(aclname); - } - } - return rstr; -} - /* * Destroy a NameList commit 7c00bf728c3a8c20c08d76f66cccaf892c81a5f2 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Mon Sep 13 13:34:07 2010 -0700 Bug 630097 - (cov#11946) NULL dereference in ResHashCreate() If we jump to the error label due to an error allocating memory for pResHash->treelist, we try to do a free of pResHash->treelist->vlist without checking if pResHash->treelist is NULL. We need to perform this NULL check before dereferencing pResHash->treelist. diff --git a/lib/libsi18n/reshash.c b/lib/libsi18n/reshash.c index 4c8e900..4134b2f 100644 --- a/lib/libsi18n/reshash.c +++ b/lib/libsi18n/reshash.c @@ -276,7 +276,7 @@ ResHash * ResHashCreate(char * name) goto done; error: - if (pResHash->treelist->vlist) free(pResHash->treelist->vlist); + if (pResHash->treelist && pResHash->treelist->vlist) free(pResHash->treelist->vlist); if (pResHash->treelist) free(pResHash->treelist); if (pResHash) free(pResHash); return NULL; commit 243ba589c5a69a42bdae8459bd3e6d2e65853de8 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Mon Sep 13 13:50:42 2010 -0700 Bug 630097 - (cov#11938) NULL dereference in mmldif There is a chance that we can deference a NULL pointer in the mmldif code. If "(numb > tot_b)" is true, it is not guaranteed that "a" is non-NULL. We need to check if "a" is NULL before dereferencing it in the "(cmp < 0)" case. diff --git a/ldap/servers/slapd/tools/mmldif.c b/ldap/servers/slapd/tools/mmldif.c index 291702a..665452c 100644 --- a/ldap/servers/slapd/tools/mmldif.c +++ b/ldap/servers/slapd/tools/mmldif.c @@ -1086,7 +1086,7 @@ addmodified(FILE * edf3, attrib1_t * attrib, record_t * first) } else { cmp = stricmp(a->name, attribname(b)); } - if (cmp < 0) { + if ((cmp < 0) && (a != NULL)) { /* a < b: a is deleted */ attrname = a->name; fprintf(edf3, "delete: %s\n-\n", attrname); commit 839e52c73e04e782c8069fe9c9e1aeea0b73a1c0 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Mon Sep 13 09:20:21 2010 -0700 Bug 630097 - (cov#11933) Fix NULL dereference in schema code There is a possibility of deferencing prevocp when it is NULL the second time through the loop if the first pass was not a standard objectclass definition and tmpocp != curlisthead. I don't think that this issue is possible unless some other thread was able to modify tmpocp->oc_next between where curlisthead is set (schema.c:2654) and where nextocp is set (schema.c:2658) the first time through the loop. That said, I see no harm in checking if prevocp is NULL before attempting to dereference it. diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c index 6e2fefe..14f3e76 100644 --- a/ldap/servers/slapd/schema.c +++ b/ldap/servers/slapd/schema.c @@ -2653,7 +2653,9 @@ clean_up_and_return: if ( tmpocp == curlisthead ) { curlisthead = tmpocp->oc_next; } else { - prevocp->oc_next = tmpocp->oc_next; + if (prevocp) { + prevocp->oc_next = tmpocp->oc_next; + } } nextocp = tmpocp->oc_next; oc_free( &tmpocp );

13 years, 7 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits September 2010