coolkey/src/coolkey machdep.cpp,1.9,1.10
by Robert Relyea
Author: rrelyea
Update of /cvs/dirsec/coolkey/src/coolkey
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv4615
Modified Files:
machdep.cpp
Log Message:
Fix incorrect unlink in error path
Index: machdep.cpp
===================================================================
RCS file: /cvs/dirsec/coolkey/src/coolkey/machdep.cpp,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- machdep.cpp 8 Sep 2010 20:55:30 -0000 1.9
+++ machdep.cpp 20 Sep 2010 22:11:38 -0000 1.10
@@ -364,7 +364,7 @@
}
ret = write(shmemData->fd,buf,len);
if (ret != len) {
- unlink(shmemData->fd,buf,len);
+ unlink(shmemData->path);
#ifdef FULL_CLEANUP
flock(shmemData->fd, LOCK_UN);
#endif
13 years, 7 months
lib/libaccess
by Nathan Kinder
lib/libaccess/acl.tab.cpp | 4 ++++
1 file changed, 4 insertions(+)
New commits:
commit 62cc84cec98c46d5792178d483f8780d43537d0a
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Fri Sep 17 18:25:48 2010 -0400
Bug 630092 - Coverity #11992,11993: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The acl_Parse() has been modified to release newacls and newaclv
when an error occurs.
diff --git a/lib/libaccess/acl.tab.cpp b/lib/libaccess/acl.tab.cpp
index 5f6610d..ddf40a6 100644
--- a/lib/libaccess/acl.tab.cpp
+++ b/lib/libaccess/acl.tab.cpp
@@ -846,7 +846,11 @@ int acl_Parse()
aclv = ACLCOPY(newaclv, aclv, ACLSTYPE);
}
else
+ {
aclnewmax = 0; /* failed */
+ if (newacls) PERM_FREE(newacls);
+ if (newaclv) PERM_FREE(newaclv);
+ }
}
else /* not first time */
{
13 years, 7 months
7 commits - ldap/servers lib/ldaputil
by Nathan Kinder
ldap/servers/plugins/acl/acllas.c | 4 +---
ldap/servers/plugins/cos/cos_cache.c | 1 +
ldap/servers/slapd/libglobs.c | 2 +-
ldap/servers/slapd/plugin.c | 4 ++--
ldap/servers/slapd/str2filter.c | 1 +
ldap/servers/slapd/tools/ldclt/scalab01.c | 18 +++++++++++++-----
lib/ldaputil/certmap.c | 1 +
7 files changed, 20 insertions(+), 11 deletions(-)
New commits:
commit e84ef2eceaeaae02acf62b74b37be8e9b2ac59bc
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Fri Sep 17 16:37:27 2010 -0400
Bug 630092 - Coverity #11985: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The str2simple() has been modified to release unqstr when
an error occurs.
diff --git a/ldap/servers/slapd/str2filter.c b/ldap/servers/slapd/str2filter.c
index 0dd91a5..9ffcf24 100644
--- a/ldap/servers/slapd/str2filter.c
+++ b/ldap/servers/slapd/str2filter.c
@@ -320,6 +320,7 @@ str2simple( char *str , int unescape_filter)
value[len] = savechar;
if (!r) {
slapi_filter_free(f, 1);
+ slapi_ch_free((void**)&unqstr);
return NULL;
}
f->f_avvalue.bv_val = unqstr;
commit a9b98efb4fda1672e915a6d4cbbad1b096e8f66d
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Fri Sep 17 17:07:54 2010 -0400
Bug 630092 - Coverity #12003: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The cos_cache_add_defn() has been modified to release theDef
when an error occurs.
diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index e20fd0d..db99586 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -1498,6 +1498,7 @@ static int cos_cache_add_defn(
out:
if(ret < 0)
{
+ slapi_ch_free((void**)&theDef);
if(dn)
cos_cache_del_attrval_list(dn);
if(tree)
commit 16b151c38f14f9ca7eed6611df44c1c5d1fca42f
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Fri Sep 17 16:58:53 2010 -0400
Bug 630092 - Coverity #12000: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The plugin_setup() has been modified to release the value before
it returns.
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
index aa54426..b8257d1 100644
--- a/ldap/servers/slapd/plugin.c
+++ b/ldap/servers/slapd/plugin.c
@@ -2270,6 +2270,7 @@ plugin_setup(Slapi_Entry *plugin_entry, struct slapi_componentid *group,
plugin->plg_initfunc, plugin->plg_name,
plugin->plg_libpath);
status = -1;
+ slapi_ch_free((void**)&value);
goto PLUGIN_CLEANUP;
}
@@ -2277,8 +2278,7 @@ plugin_setup(Slapi_Entry *plugin_entry, struct slapi_componentid *group,
status = plugin_add_descriptive_attributes( plugin_entry, plugin );
}
- if (value)
- slapi_ch_free((void**)&value);
+ slapi_ch_free((void**)&value);
if(enabled)
{
commit a076dbbf8eefee8c84b0c7af12f9d2819db11452
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Fri Sep 17 16:46:03 2010 -0400
Bug 630092 - Coverity #11991: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The acllas__client_match_URL() has been modified to release the
hostport before it returns.
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index 6271fb1..99b0281 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -3606,9 +3606,6 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
/* dn was allocated in slapi_dn_normalize_ext */
slapi_ch_free_string(&dn);
}
- if (hostport && ('/' != *hostport)) {
- slapi_ch_free_string(&hostport);
- }
rc = slapi_ldap_url_parse(normed, &ludp, 1, NULL);
if (rc) {
slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
@@ -3673,6 +3670,7 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
result = ACL_FALSE;
done:
+ slapi_ch_free_string(&hostport);
ldap_free_urldesc( ludp );
slapi_ch_free_string(&normed);
slapi_filter_free ( f, 1 ) ;
commit 9433fc73f04520ce7f309fef6bcc4052146d34fe
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Fri Sep 17 14:14:53 2010 -0700
Bug 630092 - (cov#12068) Resource leak in certmap code
The ldapu_propval_list_free() function was freeing the nodes in
the list, but not the list itself. We need to free the list itself
after all of the nodes have been freed.
diff --git a/lib/ldaputil/certmap.c b/lib/ldaputil/certmap.c
index 9c6b2ba..f3da425 100644
--- a/lib/ldaputil/certmap.c
+++ b/lib/ldaputil/certmap.c
@@ -1472,6 +1472,7 @@ void ldapu_propval_list_free (void *propval_list)
{
LDAPUPropValList_t *list = (LDAPUPropValList_t *)propval_list;
ldapu_list_free(list, ldapu_propval_free);
+ free(list);
}
int ldapu_certmap_init (const char *config_file,
commit 6b3b9009af5c85b0be9dea36aca86c93972a20a4
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Fri Sep 17 14:37:47 2010 -0700
Bug 630092 - (cov#12105) Resource leak in pwdscheme config code
We don't free new_scheme if the password encode function is not
set. We need to free new_scheme in this error case.
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index f36588c..b88a69a 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1600,7 +1600,6 @@ config_set_pw_storagescheme( const char *attrname, char *value, char *errorbuf,
}
retVal = LDAP_OPERATIONS_ERROR;
slapi_ch_free_string(&scheme_list);
- free_pw_scheme(new_scheme);
return retVal;
}
else if ( new_scheme->pws_enc == NULL )
@@ -1616,6 +1615,7 @@ config_set_pw_storagescheme( const char *attrname, char *value, char *errorbuf,
}
retVal = LDAP_UNWILLING_TO_PERFORM;
slapi_ch_free_string(&scheme_list);
+ free_pw_scheme(new_scheme);
return retVal;
}
commit e1702b5a0442013d829eb6e1f4a4c1b7eeb71516
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Fri Sep 17 13:31:56 2010 -0700
Bug 630092 - (cov#12116) Resource leak in ldclt code
There is a chance that we leak the memory pointed to by the new
variable if we never have one of the ldclt contexts point to it.
We need to jump to the error label in this case to free the memory.
diff --git a/ldap/servers/slapd/tools/ldclt/scalab01.c b/ldap/servers/slapd/tools/ldclt/scalab01.c
index c0437b0..39345bd 100644
--- a/ldap/servers/slapd/tools/ldclt/scalab01.c
+++ b/ldap/servers/slapd/tools/ldclt/scalab01.c
@@ -465,6 +465,13 @@ scalab01_addLogin (
else
{
cur = s1ctx.list;
+
+ /* If cur is NULL, we should just bail and free new. */
+ if (cur == NULL)
+ {
+ goto error;
+ }
+
while (cur != NULL)
{
if (cur->next == NULL)
@@ -472,15 +479,16 @@ scalab01_addLogin (
cur->next = new;
cur = NULL; /* Exit loop */
}
- else
- if (cur->next->counter >= duration)
- {
+ else if (cur->next->counter >= duration)
+ {
new->next = cur->next;
cur->next = new;
cur = NULL; /* Exit loop */
- }
- else
+ }
+ else
+ {
cur = cur->next;
+ }
}
}
}
13 years, 7 months
mod_nss nss_engine_io.c,1.10,1.11
by Rob Crittenden
Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv26603
Modified Files:
nss_engine_io.c
Log Message:
Fix endless read loop in some situations when handling POST data (#620856)
This was discovered in the dogtag TPS subsystem. I haven't been able to
duplicate it outside of that but it is trivial inside. This seems to fix
it and brings the code closer to what mod_ssl does here as well.
Index: nss_engine_io.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_io.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- nss_engine_io.c 11 Nov 2009 18:20:39 -0000 1.10
+++ nss_engine_io.c 17 Sep 2010 19:39:27 -0000 1.11
@@ -259,7 +259,8 @@
*/
if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc)
|| (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) {
- PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+ nspr_filter_out_ctx_t *outctx = filter_ctx->outctx;
+ inctx->rc = outctx->rc;
return -1;
}
13 years, 7 months
11 commits - ldap/servers
by Nathan Kinder
ldap/servers/plugins/mep/mep.c | 15 +++++++++++----
ldap/servers/plugins/replication/repl5_protocol_util.c | 6 ++----
ldap/servers/plugins/replication/windows_protocol_util.c | 2 ++
ldap/servers/slapd/back-ldbm/import-threads.c | 4 ++++
ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c | 5 +++++
ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 1 +
ldap/servers/slapd/tools/mmldif.c | 3 ++-
7 files changed, 27 insertions(+), 9 deletions(-)
New commits:
commit 2af08b37e8bcebb68ad85c8cc6195f8f6d3403f1
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Thu Sep 16 14:35:12 2010 -0400
Bug 630092 - Coverity #15497: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The moddn_rename_children() has been modified to release
child_entry_copies before it returns.
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
index c8b4903..e62a8b5 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
@@ -1598,6 +1598,7 @@ moddn_rename_children(
}
}
slapi_ldap_value_free( newsuperiordns );
+ slapi_ch_free((void**)&child_entry_copies);
return retval;
}
commit f88490faa19daaf0e43ed27a7f936ea5cca4cda0
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Thu Sep 16 14:29:30 2010 -0400
Bug 630092 - Coverity #15490: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The import_producer() has been modified to release ep when an error
occured.
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index b18bbce..c00e4b7 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -636,6 +636,7 @@ import_producer(void *param)
ep = import_make_backentry(e, id);
if ((ep == NULL) || (ep->ep_entry == NULL)) {
slapi_entry_free(e);
+ backentry_free(&ep);
goto error;
}
commit 1aab7c095a094f81916b7061a447570fde17407a
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Thu Sep 16 14:25:00 2010 -0400
Bug 630092 - Coverity #15487: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The index_set_entry_to_fifo() has been modified to release ep when
the job is aborted.
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index 9629a9e..b18bbce 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -805,6 +805,7 @@ index_set_entry_to_fifo(ImportWorkerInfo *info, Slapi_Entry *e,
}
if (job->flags & FLAG_ABORT) {
+ backentry_free(&ep);
goto bail;
}
@@ -831,6 +832,7 @@ index_set_entry_to_fifo(ImportWorkerInfo *info, Slapi_Entry *e,
DS_Sleep(sleeptime);
}
if (job->flags & FLAG_ABORT) {
+ backentry_free(&ep);
goto bail;
}
commit 889b6d03b0e6ef0b315f78437dc7217e23ae63d0
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Thu Sep 16 14:18:05 2010 -0400
Bug 630092 - Coverity #15485: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The _entryrdn_delete_key() has been modified to release tmpsrdn
when an error occurs.
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
index 503d96b..4fbae15 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
@@ -2363,6 +2363,7 @@ retry_get0:
"_entryrdn_delete_key: Failed to generate a parent "
"elem: dn: %s\n", dn);
slapi_ch_free_string(&dn);
+ slapi_rdn_free(&tmpsrdn);
goto bail;
}
} else if (parentnrdn) {
commit ba741cade5aef1cbb8ede386b7f2b85d57745d75
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Thu Sep 16 12:38:32 2010 -0400
Bug 630092 - Coverity #15484: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The bulk_import_queue() has been modified to release ep when an
error occurs.
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index 171be08..9629a9e 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -2736,6 +2736,7 @@ static int bulk_import_queue(ImportJob *job, Slapi_Entry *entry)
ep = import_make_backentry(entry, id);
if ((ep == NULL) || (ep->ep_entry == NULL)) {
import_abort_all(job, 1);
+ backentry_free( &ep ); /* release the backend wrapper, here */
PR_Unlock(job->wire_lock);
return -1;
}
commit 4078b6113628c0a842a6caf7c54535ca95cacfd7
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Thu Sep 16 11:56:49 2010 -0400
Bug 630092 - Coverity #15483: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The _entryrdn_index_read() has been modified to release tmpsrdn
when an error occurs.
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
index f3474fa..503d96b 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
@@ -2560,6 +2560,7 @@ _entryrdn_index_read(backend *be,
"_entryrdn_index_read: Failed to generate a new elem: "
"dn: %s\n", dn);
slapi_ch_free_string(&dn);
+ slapi_rdn_free(&tmpsrdn);
goto bail;
}
slapi_rdn_free(&tmpsrdn);
@@ -2627,6 +2628,9 @@ _entryrdn_index_read(backend *be,
"_entryrdn_index_read: Failed to generate a new elem: "
"dn: %s\n", dn);
slapi_ch_free_string(&dn);
+ if (tmpsrdn != srdn) {
+ slapi_rdn_free(&tmpsrdn);
+ }
goto bail;
}
if (tmpsrdn != srdn) {
commit 753ee0945a968c849e37cc42971dc5a75bc4f0a8
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Tue Sep 14 23:33:13 2010 -0400
Bug 630092 - Coverity #15482: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The windows_search_local_entry_by_uniqueid() has been modified to release
the memory allocated for local_subtree.
diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c
index ff39fb5..3fe42cf 100644
--- a/ldap/servers/plugins/replication/windows_protocol_util.c
+++ b/ldap/servers/plugins/replication/windows_protocol_util.c
@@ -4607,6 +4607,8 @@ windows_search_local_entry_by_uniqueid(Private_Repl_Protocol *prp, const char *u
{
PR_smprintf_free(filter_string);
}
+
+ if (is_global) slapi_sdn_free(&local_subtree);
return rc;
}
commit 8c524b4700238edba8a307a213ba81cb56a2b913
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Tue Sep 14 22:54:03 2010 -0400
Bug 630092 - Coverity #15481: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The acquire_replica() has been modified to release current_csn before
it returns.
diff --git a/ldap/servers/plugins/replication/repl5_protocol_util.c b/ldap/servers/plugins/replication/repl5_protocol_util.c
index 02b16b5..16032b2 100644
--- a/ldap/servers/plugins/replication/repl5_protocol_util.c
+++ b/ldap/servers/plugins/replication/repl5_protocol_util.c
@@ -121,6 +121,7 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv)
char *retoid = NULL;
Slapi_DN *replarea_sdn = NULL;
struct berval **ruv_bervals = NULL;
+ CSN *current_csn = NULL;
PR_ASSERT(prp && prot_oid);
@@ -176,8 +177,6 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv)
}
else
{
- CSN *current_csn = NULL;
-
/* we don't want the timer to go off in the middle of an operation */
conn_cancel_linger(conn);
@@ -276,8 +275,6 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv)
}
/* JCMREPL - Need to extract the referrals from the RUV */
- csn_free(¤t_csn);
- current_csn = NULL;
crc = conn_send_extended_operation(conn,
prp->repl90consumer ? REPL_START_NSDS90_REPLICATION_REQUEST_OID :
REPL_START_NSDS50_REPLICATION_REQUEST_OID, payload,
@@ -522,6 +519,7 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv)
}
error:
+ csn_free(¤t_csn);
if (NULL != ruv_bervals)
ber_bvecfree(ruv_bervals);
if (NULL != replarea_sdn)
commit 2a267dc9c52ff4f641a6045e6c481ea881010975
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Tue Sep 14 21:06:13 2010 -0400
Bug 630092 - Coverity #15479: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The mep_pre_op() is correctly allocating and releasing smods during
modify operation. However, the "else" clause on line 1517 theoretically
allows other operations to enter and cause resource leak. The code has
been modified to reject other operations from operating against the
config entries.
diff --git a/ldap/servers/plugins/mep/mep.c b/ldap/servers/plugins/mep/mep.c
index 72af428..cb329e4 100644
--- a/ldap/servers/plugins/mep/mep.c
+++ b/ldap/servers/plugins/mep/mep.c
@@ -1514,7 +1514,8 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
if (LDAP_CHANGETYPE_ADD == modop) {
slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e);
- } else {
+
+ } else if (LDAP_CHANGETYPE_MODIFY == modop) {
/* Fetch the entry being modified so we can
* create the resulting entry for validation. */
Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn);
@@ -1541,6 +1542,12 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
* to let the main server handle it. */
goto bailmod;
}
+
+ } else {
+ /* Refuse other operations. */
+ ret = LDAP_UNWILLING_TO_PERFORM;
+ errstr = slapi_ch_smprintf("Not a valid operation.");
+ goto bail;
}
if (mep_parse_config_entry(e, 0) != 0) {
commit 019789548c33ec6155a0cbebfe81c58bac4d1ed8
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Tue Sep 14 20:36:37 2010 -0400
Bug 630092 - Coverity #15478: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The mep_pre_op() has been modified to release config_copy before it goes
out of scope by moving mep_free_config_entry() out of the switch statement.
diff --git a/ldap/servers/plugins/mep/mep.c b/ldap/servers/plugins/mep/mep.c
index c0ce013..72af428 100644
--- a/ldap/servers/plugins/mep/mep.c
+++ b/ldap/servers/plugins/mep/mep.c
@@ -1631,11 +1631,11 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
/* Dispose of the test entry */
slapi_entry_free(test_entry);
-
- /* Free the config copy */
- mep_free_config_entry(&config_copy);
break;
}
+
+ /* Free the config copy */
+ mep_free_config_entry(&config_copy);
}
mep_config_unlock();
commit bef946f15f1e7f5694e8e044df3444d78b558d4f
Author: Endi Sukma Dewata <edewata(a)redhat.com>
Date: Tue Sep 14 20:25:53 2010 -0400
Bug 630092 - Coverity #12117: Resource leaks issues
https://bugzilla.redhat.com/show_bug.cgi?id=630092
Description:
The putvalue() has been modified to release b64 using freeEnc64()
before it returns.
diff --git a/ldap/servers/slapd/tools/mmldif.c b/ldap/servers/slapd/tools/mmldif.c
index b364a19..6d62338 100644
--- a/ldap/servers/slapd/tools/mmldif.c
+++ b/ldap/servers/slapd/tools/mmldif.c
@@ -1245,7 +1245,7 @@ putvalue(
int valuelen
)
{
- Enc64_t * b64;
+ Enc64_t * b64 = NULL;
char * lptr;
char line[255];
int return_code;
@@ -1330,6 +1330,7 @@ putvalue(
}
return_bit:
+ if (b64) freeEnc64(b64);
if (tag != NULL) {
fputs("-\n", fh);
}
13 years, 7 months
lib/libaccess
by Nathan Kinder
lib/libaccess/acl.tab.cpp | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
New commits:
commit 8f1cdb3193c92c863c08a8836341ff54c9c17f7b
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Wed Sep 15 14:58:53 2010 -0700
Bug 630091 - (cov#12209) Use of uninitialized pointer in libaccess
It looks like aclpvt is only initialized before use if __cplusplus
or lint are defined. I see no harm in always initializing aclpvt
to NULL, which will guarantee that we don't use an uninitialized
pointer.
diff --git a/lib/libaccess/acl.tab.cpp b/lib/libaccess/acl.tab.cpp
index 6cab7d9..5f6610d 100644
--- a/lib/libaccess/acl.tab.cpp
+++ b/lib/libaccess/acl.tab.cpp
@@ -724,7 +724,7 @@ int acl_Parse(void)
int acl_Parse()
#endif
{
- register ACLSTYPE *aclpvt; /* top of value stack for $vars */
+ register ACLSTYPE *aclpvt = 0; /* top of value stack for $vars */
#if defined(__cplusplus) || defined(lint)
/*
@@ -737,7 +737,6 @@ int acl_Parse()
case 1: goto aclerrlab;
case 2: goto aclnewstate;
}
- aclpvt = 0;
#endif
/*
13 years, 7 months
2 commits - ldap/servers
by Nathan Kinder
ldap/servers/plugins/acl/aclplugin.c | 6 ++++++
ldap/servers/slapd/tools/mmldif.c | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
New commits:
commit b83f966e5ce1d5a3e70521b15f92b9f6ba988b1c
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Wed Sep 15 13:31:24 2010 -0700
Bug 630097 - (cov#15477) NULL dereference in ACL plug-in code
We need to check if aclpb is NULL before dereferencing it. The
proper thing to do here is to make aclplugin_preop_common() return
an error to the LDAP client and to return 1 since the whole purpose
of this function is to initialize the aclpb. Doing this will avoid
the NULL dereference.
diff --git a/ldap/servers/plugins/acl/aclplugin.c b/ldap/servers/plugins/acl/aclplugin.c
index 873c524..d54250d 100644
--- a/ldap/servers/plugins/acl/aclplugin.c
+++ b/ldap/servers/plugins/acl/aclplugin.c
@@ -205,6 +205,12 @@ aclplugin_preop_common( Slapi_PBlock *pb )
aclpb = acl_get_aclpb ( pb, ACLPB_BINDDN_PBLOCK );
+ if (aclpb == NULL) {
+ slapi_log_error( SLAPI_LOG_ACL, plugin_name, "aclplugin_preop_common: Error: aclpb is NULL\n" );
+ slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
+ return 1;
+ }
+
/* See if we have initialized already */
if ( aclpb->aclpb_state & ACLPB_INITIALIZED ) goto done;
commit 470e2c70338440f69b0ab8fc02128fe5f204af3e
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Wed Sep 15 11:45:56 2010 -0700
Bug 630097 - (cov#11938) NULL dereference in mmldif
There is a chance that a can be NULL, which we then dereference
within the else block. We should not execute the else block if
a is NULL.
diff --git a/ldap/servers/slapd/tools/mmldif.c b/ldap/servers/slapd/tools/mmldif.c
index 665452c..b364a19 100644
--- a/ldap/servers/slapd/tools/mmldif.c
+++ b/ldap/servers/slapd/tools/mmldif.c
@@ -1108,7 +1108,7 @@ addmodified(FILE * edf3, attrib1_t * attrib, record_t * first)
} while (num_b <= tot_b && stricmp(attribname(b), attrname) == 0);
fprintf(edf3, "-\n");
continue;
- } else {
+ } else if (a != NULL) {
/* a == b */
int nmods = 0;
attrib_t *begin_b = b;
13 years, 7 months
ldap/servers
by Noriko Hosoi
ldap/servers/slapd/back-ldbm/filterindex.c | 6 ++++++
ldap/servers/slapd/back-ldbm/ldbm_search.c | 1 +
ldap/servers/slapd/back-ldbm/vlv.c | 5 +++--
ldap/servers/slapd/opshared.c | 5 +++++
ldap/servers/slapd/pagedresults.c | 25 +++++++++++++++++++++++++
ldap/servers/slapd/proto-slap.h | 2 ++
ldap/servers/slapd/result.c | 3 ++-
ldap/servers/slapd/slap.h | 4 ++++
ldap/servers/slapd/slapi-plugin.h | 1 +
9 files changed, 49 insertions(+), 3 deletions(-)
New commits:
commit 529b056b2fda91263730da1da8ac9b42b54b72f4
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Sep 14 10:32:46 2010 -0700
Bug 558099 - Enhancement request: Log more information about the search result being a paged one
https://bugzilla.redhat.com/show_bug.cgi?id=558099
Description: searched entry count is logged in the access log as
(nentries=<num>). When RFC 2696 page results control is passed,
the nentries logs the page size instead of the total searched
count. andrey.ivanov(a)polytechnique.fr proposed to log the control
info as follows:
[..] conn=# op=#RESULT err=0 tag=101 nentries=# etime=0 notes=P
This patch implemented the spec.
Also, there was a bug regarding unindexed note "notes=U" when
the paged results control is received. Only the first page logs
it, but not the rest. The bug was fixed.
diff --git a/ldap/servers/slapd/back-ldbm/filterindex.c b/ldap/servers/slapd/back-ldbm/filterindex.c
index 03123ca..e237749 100644
--- a/ldap/servers/slapd/back-ldbm/filterindex.c
+++ b/ldap/servers/slapd/back-ldbm/filterindex.c
@@ -287,6 +287,7 @@ ava_candidates(
if ( unindexed ) {
unsigned int opnote = SLAPI_OP_NOTE_UNINDEXED;
slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote );
+ pagedresults_set_unindexed( pb->pb_conn );
}
/* We don't use valuearray_free here since the valueset, berval
@@ -318,6 +319,7 @@ ava_candidates(
if ( unindexed ) {
unsigned int opnote = SLAPI_OP_NOTE_UNINDEXED;
slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote );
+ pagedresults_set_unindexed( pb->pb_conn );
}
valuearray_free( &ivals );
LDAPDebug( LDAP_DEBUG_TRACE, "<= ava_candidates %lu\n",
@@ -353,6 +355,7 @@ presence_candidates(
if ( unindexed ) {
unsigned int opnote = SLAPI_OP_NOTE_UNINDEXED;
slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote );
+ pagedresults_set_unindexed( pb->pb_conn );
}
if (idl != NULL && ALLIDS(idl) && strcasecmp(type, "nscpentrydn") == 0) {
@@ -458,6 +461,7 @@ extensible_candidates(
unsigned int opnote = SLAPI_OP_NOTE_UNINDEXED;
slapi_pblock_set( glob_pb,
SLAPI_OPERATION_NOTES, &opnote );
+ pagedresults_set_unindexed( glob_pb->pb_conn );
}
if (idl2 == NULL)
{
@@ -864,6 +868,7 @@ substring_candidates(
attr_done(&sattr);
if ( ivals == NULL || *ivals == NULL ) {
slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote );
+ pagedresults_set_unindexed( pb->pb_conn );
LDAPDebug( LDAP_DEBUG_TRACE,
"<= sub_candidates ALLIDS (no keys)\n", 0, 0, 0 );
return( idl_allids( be ) );
@@ -876,6 +881,7 @@ substring_candidates(
idl = keys2idl( be, type, indextype_SUB, ivals, err, &unindexed );
if ( unindexed ) {
slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote );
+ pagedresults_set_unindexed( pb->pb_conn );
}
valuearray_free( &ivals );
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c
index 0f97d86..9a8dd0f 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_search.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c
@@ -675,6 +675,7 @@ ldbm_back_search( Slapi_PBlock *pb )
}
slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote );
+ pagedresults_set_unindexed( pb->pb_conn );
}
sr->sr_candidates = candidates;
diff --git a/ldap/servers/slapd/back-ldbm/vlv.c b/ldap/servers/slapd/back-ldbm/vlv.c
index 0d28240..163d8a6 100644
--- a/ldap/servers/slapd/back-ldbm/vlv.c
+++ b/ldap/servers/slapd/back-ldbm/vlv.c
@@ -1150,8 +1150,9 @@ vlv_search_build_candidate_list(Slapi_PBlock *pb, const Slapi_DN *base, int *vlv
if((pi=vlv_find_search(be, base, scope, fstr, sort_control)) == NULL) {
unsigned int opnote = SLAPI_OP_NOTE_UNINDEXED;
PR_RWLock_Unlock(be->vlvSearchList_lock);
- slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote );
- rc = VLV_FIND_SEARCH_FAILED;
+ slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote );
+ pagedresults_set_unindexed( pb->pb_conn );
+ rc = VLV_FIND_SEARCH_FAILED;
} else if((*vlv_rc=vlvIndex_accessallowed(pi, pb)) != LDAP_SUCCESS) {
PR_RWLock_Unlock(be->vlvSearchList_lock);
rc = VLV_ACCESS_DENIED;
diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c
index cd33d57..858bc8f 100644
--- a/ldap/servers/slapd/opshared.c
+++ b/ldap/servers/slapd/opshared.c
@@ -372,6 +372,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
rc = pagedresults_parse_control_value(ctl_value,
&pagesize, &curr_search_count);
if (LDAP_SUCCESS == rc) {
+ unsigned int opnote = SLAPI_OP_NOTE_SIMPLEPAGED;
operation->o_flags |= OP_FLAG_PAGED_RESULTS;
pr_be = pagedresults_get_current_be(pb->pb_conn);
pr_search_result = pagedresults_get_search_result(pb->pb_conn);
@@ -379,6 +380,10 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
pagedresults_get_search_result_count(pb->pb_conn);
estimate =
pagedresults_get_search_result_set_size_estimate(pb->pb_conn);
+ if (pagedresults_get_unindexed(pb->pb_conn)) {
+ opnote |= SLAPI_OP_NOTE_UNINDEXED;
+ }
+ slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote );
} else {
/* parse paged-results-control failed */
if (iscritical) { /* return an error since it's critical */
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index fdda938..616fd11 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -301,6 +301,31 @@ pagedresults_set_with_sort(Connection *conn, int flags)
}
int
+pagedresults_get_unindexed(Connection *conn)
+{
+ int flags = 0;
+ if (conn) {
+ PR_Lock(conn->c_mutex);
+ flags = conn->c_flags&CONN_FLAG_PAGEDRESULTS_UNINDEXED;
+ PR_Unlock(conn->c_mutex);
+ }
+ return flags;
+}
+
+int
+pagedresults_set_unindexed(Connection *conn)
+{
+ int rc = -1;
+ if (conn) {
+ PR_Lock(conn->c_mutex);
+ conn->c_flags |= CONN_FLAG_PAGEDRESULTS_UNINDEXED;
+ PR_Unlock(conn->c_mutex);
+ rc = 0;
+ }
+ return rc;
+}
+
+int
pagedresults_get_sort_result_code(Connection *conn)
{
int code = 0;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 6524c80..6f5ae54 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -1372,6 +1372,8 @@ int pagedresults_get_search_result_set_size_estimate(Connection *conn);
int pagedresults_set_search_result_set_size_estimate(Connection *conn, int cnt);
int pagedresults_get_with_sort(Connection *conn);
int pagedresults_set_with_sort(Connection *conn, int flags);
+int pagedresults_get_unindexed(Connection *conn);
+int pagedresults_set_unindexed(Connection *conn);
int pagedresults_get_sort_result_code(Connection *conn);
int pagedresults_set_sort_result_code(Connection *conn, int code);
int pagedresults_set_timelimit(Connection *conn, time_t timelimit);
diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
index ca42de5..218b7b9 100644
--- a/ldap/servers/slapd/result.c
+++ b/ldap/servers/slapd/result.c
@@ -1576,7 +1576,8 @@ struct slapi_note_map {
};
static struct slapi_note_map notemap[] = {
- { SLAPI_OP_NOTE_UNINDEXED, "U" },
+ { SLAPI_OP_NOTE_UNINDEXED, "U" },
+ { SLAPI_OP_NOTE_SIMPLEPAGED, "P" }
};
#define SLAPI_NOTEMAP_COUNT ( sizeof(notemap) / sizeof(struct slapi_note_map))
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 8a40592..1f4afd9 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1392,6 +1392,10 @@ typedef struct conn {
#define CONN_FLAG_PAGEDRESULTS_WITH_SORT 64 /* paged results control is
* sent with server side sorting
*/
+
+#define CONN_FLAG_PAGEDRESULTS_UNINDEXED 128 /* If the search is unindexed,
+ * store the info in c_flags
+ */
#define CONN_GET_SORT_RESULT_CODE (-1)
#define START_TLS_OID "1.3.6.1.4.1.1466.20037"
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index 3dd92e0..893359c 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -5854,6 +5854,7 @@ typedef struct slapi_plugindesc {
/* Extra notes to be logged within access log RESULT lines */
#define SLAPI_OPERATION_NOTES 57
#define SLAPI_OP_NOTE_UNINDEXED 0x01
+#define SLAPI_OP_NOTE_SIMPLEPAGED 0x02
/* Allows controls to be passed before operation object is created */
#define SLAPI_CONTROLS_ARG 58
13 years, 7 months
ldap/servers
by Noriko Hosoi
ldap/servers/slapd/modrdn.c | 48 ++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 46 insertions(+), 2 deletions(-)
New commits:
commit 20d1e7c8e9280e2175ca843f60a50addc096f134
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Sep 14 18:05:56 2010 -0700
Bug 625014 - SubTree Renames: ModRDN operation fails and the server hangs if the entry is moved to "under" the same DN.
https://bugzilla.redhat.com/show_bug.cgi?id=625014
Description: adding a check if the newsuperior is the entry itself
or its descendent. If it is, modrdn returns LDAP_UNWILLING_TO_PERFORM.
diff --git a/ldap/servers/slapd/modrdn.c b/ldap/servers/slapd/modrdn.c
index 4cca3c9..e8084c2 100644
--- a/ldap/servers/slapd/modrdn.c
+++ b/ldap/servers/slapd/modrdn.c
@@ -79,6 +79,11 @@ do_modrdn( Slapi_PBlock *pb )
int err = 0, deloldrdn = 0;
ber_len_t len = 0;
size_t dnlen = 0;
+ char *newdn = NULL;
+ char *parent = NULL;
+ Slapi_DN sdn = {0};
+ Slapi_DN snewdn = {0};
+ Slapi_DN snewsuperior = {0};
LDAPDebug( LDAP_DEBUG_TRACE, "do_modrdn\n", 0, 0, 0 );
@@ -221,6 +226,38 @@ do_modrdn( Slapi_PBlock *pb )
}
/*
+ * If newsuperior is myself or my descendent, the modrdn should fail.
+ * Note: need to check the case newrdn is given, and newsuperior
+ * uses the newrdn, as well.
+ */
+ /* Both newrdn and dn are already normalized. */
+ parent = slapi_dn_parent(dn);
+ newdn = slapi_ch_smprintf("%s,%s", newrdn, parent);
+ slapi_sdn_set_dn_byref(&sdn, dn);
+ slapi_sdn_set_dn_byref(&snewdn, newdn);
+ slapi_sdn_set_dn_byref(&snewsuperior, newsuperior);
+ if (0 == slapi_sdn_compare(&sdn, &snewsuperior) ||
+ 0 == slapi_sdn_compare(&snewdn, &snewsuperior)) {
+ op_shared_log_error_access(pb, "MODRDN", rawnewsuperior,
+ "new superior is identical to the entry dn");
+ send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+ "new superior is identical to the entry dn", 0, NULL);
+ goto free_and_return;
+ }
+ if (slapi_sdn_issuffix(&snewsuperior, &sdn) ||
+ slapi_sdn_issuffix(&snewsuperior, &snewdn)) {
+ /* E.g.,
+ * newsuperior: ou=sub,ou=people,dc=example,dc=com
+ * dn: ou=people,dc=example,dc=com
+ */
+ op_shared_log_error_access(pb, "MODRDN", rawnewsuperior,
+ "new superior is descendent of the entry");
+ send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+ "new superior is descendent of the entry", 0, NULL);
+ goto free_and_return;
+ }
+
+ /*
* in LDAPv3 there can be optional control extensions on
* the end of an LDAPMessage. we need to read them in and
* pass them to the backend.
@@ -242,12 +279,19 @@ do_modrdn( Slapi_PBlock *pb )
slapi_pblock_set( pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn );
op_shared_rename(pb, 1 /* pass in ownership of string arguments */ );
- return;
+ goto ok_return;
free_and_return:
slapi_ch_free_string( &dn );
slapi_ch_free_string( &newrdn );
slapi_ch_free_string( &newsuperior );
+ok_return:
+ slapi_sdn_done(&sdn);
+ slapi_sdn_done(&snewdn);
+ slapi_sdn_done(&snewsuperior);
+ slapi_ch_free_string(&parent);
+ slapi_ch_free_string(&newdn);
+
return;
}
@@ -385,7 +429,7 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args)
char **rdns;
int deloldrdn;
Slapi_Backend *be = NULL;
- Slapi_DN sdn;
+ Slapi_DN sdn = {0};
Slapi_Mods smods;
char dnbuf[BUFSIZ];
char newrdnbuf[BUFSIZ];
13 years, 7 months
18 commits - ldap/servers ldap/systools lib/libaccess lib/libsi18n
by Nathan Kinder
ldap/servers/plugins/acl/acllas.c | 4
ldap/servers/plugins/cos/cos_cache.c | 10 +
ldap/servers/plugins/dna/dna.c | 2
ldap/servers/plugins/memberof/memberof.c | 8 -
ldap/servers/plugins/mep/mep.c | 1
ldap/servers/plugins/referint/referint.c | 4
ldap/servers/plugins/replication/repl5_ruv.c | 8 -
ldap/servers/plugins/replication/repl5_total.c | 2
ldap/servers/plugins/usn/usn.c | 2
ldap/servers/slapd/back-ldbm/dbhelp.c | 8 -
ldap/servers/slapd/back-ldbm/import-threads.c | 4
ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c | 7
ldap/servers/slapd/schema.c | 4
ldap/servers/slapd/tools/mmldif.c | 2
ldap/systools/idsktune.c | 5
lib/libaccess/acltools.cpp | 196 -------------------------
lib/libsi18n/reshash.c | 4
17 files changed, 49 insertions(+), 222 deletions(-)
New commits:
commit 55f94d2a6a4310bd1cd6bacc71fc4ce50b75a9fa
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Wed Sep 15 08:55:22 2010 -0700
Bug 630097 - (cov#15509) NULL dereference in idsktune
If strdup() fails, the cmd variable will be NULL. We dereference
it without checking it strdup() was successful. We should check
if cmd is NULL before dereferencing it.
diff --git a/ldap/systools/idsktune.c b/ldap/systools/idsktune.c
index cd4934d..40f1cf5 100644
--- a/ldap/systools/idsktune.c
+++ b/ldap/systools/idsktune.c
@@ -1108,6 +1108,11 @@ linux_check_release(void)
char osl[128];
char *cmd = strdup("/bin/uname -r");
+ if (cmd == NULL) {
+ printf("ERROR: Unable to allocate memory\n");
+ goto done;
+ }
+
if (flag_html) printf("<P>\n");
if (flag_debug) printf("DEBUG : %s\n",cmd);
fp = popen(cmd,"r");
commit 672f38f84a545678c7c84dfd723de292903ee19a
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Wed Sep 15 08:50:31 2010 -0700
Bug 630097 - (cov#15507,15508) NULL dereference in entryrdn code
In entryrdn_compare_dups(), we dereference the a and b parameters
when initializing the elem_a and elem_b variables. We later
perform NULL checks on both a and b, but a NULL would have
triggered a crash. We should not dereference a or b until after
the NULL checks are performed.
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
index 2077999..f3474fa 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
@@ -173,8 +173,8 @@ entryrdn_get_noancestorid()
int
entryrdn_compare_dups(DB *db, const DBT *a, const DBT *b)
{
- rdn_elem *elem_a = (rdn_elem *)a->data;
- rdn_elem *elem_b = (rdn_elem *)b->data;
+ rdn_elem *elem_a = NULL;
+ rdn_elem *elem_b = NULL;
int delta = 0;
if (NULL == a) {
@@ -187,6 +187,9 @@ entryrdn_compare_dups(DB *db, const DBT *a, const DBT *b)
return 1;
}
+ elem_a = (rdn_elem *)a->data;
+ elem_b = (rdn_elem *)b->data;
+
delta = strcmp((char *)elem_a->rdn_elem_nrdn_rdn,
(char *)elem_b->rdn_elem_nrdn_rdn);
commit f78a37579df8f9c60b4742019231b0dfa49a87a9
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Wed Sep 15 08:28:17 2010 -0700
Bug 630097 - (cov#15506) NULL dereference in dblayer code
The first parameter of dblayer_set_env_debugging() is dereferenced
inside of that function without NULL checking. We pass the env
variable to this function without first checking if it is NULL.
We should move the existing NULL check of env up to the top of the
dblayer_copy_file_keybybey() function.
diff --git a/ldap/servers/slapd/back-ldbm/dbhelp.c b/ldap/servers/slapd/back-ldbm/dbhelp.c
index f1f232a..93a0de8 100644
--- a/ldap/servers/slapd/back-ldbm/dbhelp.c
+++ b/ldap/servers/slapd/back-ldbm/dbhelp.c
@@ -65,15 +65,15 @@ static int dblayer_copy_file_keybykey(DB_ENV *env, char *source_file_name, char
LDAPDebug( LDAP_DEBUG_TRACE, "=> dblayer_copy_file_keybykey\n", 0, 0, 0 );
- if (priv->dblayer_file_mode)
- mode = priv->dblayer_file_mode;
- dblayer_set_env_debugging(env, priv);
-
if (!env) {
LDAPDebug(LDAP_DEBUG_ANY, "dblayer_copy_file_keybykey, Out of memory\n", 0, 0, 0);
goto error;
}
+ if (priv->dblayer_file_mode)
+ mode = priv->dblayer_file_mode;
+ dblayer_set_env_debugging(env, priv);
+
/* Open the source file */
retval = db_create(&source_file, env, 0);
if (retval) {
commit 6319623ea54435610f573e1a1d7b9bbe7b16e878
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 15:45:04 2010 -0700
Bug 630097 - (cov#15505) NULL dereference in memberOf code
The config parameter is dereferenced before checking if it is NULL
early in memberof_modop_one_replace_r(). Later in the function,
we first check if config is NULL before dereferencing it. We
should check if config is NULL at the beginning of the function
and bail out before we dereference it.
diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
index 5294892..50da09a 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -980,6 +980,12 @@ int memberof_modop_one_replace_r(Slapi_PBlock *pb, MemberOfConfig *config,
Slapi_Value *to_dn_val = slapi_value_new_string(op_to);
Slapi_Value *this_dn_val = slapi_value_new_string(op_this);
+ if (config == NULL) {
+ slapi_log_error( SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM,
+ "memberof_modop_one_replace_r: NULL config parameter");
+ goto bail;
+ }
+
/* determine if this is a group op or single entry */
op_to_sdn = slapi_sdn_new_dn_byref(op_to);
slapi_search_internal_get_entry( op_to_sdn, config->groupattrs,
@@ -1076,7 +1082,7 @@ int memberof_modop_one_replace_r(Slapi_PBlock *pb, MemberOfConfig *config,
"memberof_modop_one_replace_r: %s %s in %s\n"
,op_str, op_this, op_to);
- if(config && config->group_filter && !slapi_filter_test_simple(e, config->group_filter))
+ if(config->group_filter && !slapi_filter_test_simple(e, config->group_filter))
{
/* group */
Slapi_Value *ll_dn_val = 0;
commit 50df94f549ae75669c071e610d08ffa9ed9e841c
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 14:53:43 2010 -0700
Bug 630097 - (cov#15473) NULL dereference in ResHashCreate()
If there is a problem allocating pResHash, we jump to the error
label. The error label then dereferences pResHash to do a deep
free, but it doesn't check if pResHash is NULL first. We need to
check if pResHash is NULL before dereferencing it.
diff --git a/lib/libsi18n/reshash.c b/lib/libsi18n/reshash.c
index 4134b2f..6e3572f 100644
--- a/lib/libsi18n/reshash.c
+++ b/lib/libsi18n/reshash.c
@@ -276,8 +276,8 @@ ResHash * ResHashCreate(char * name)
goto done;
error:
- if (pResHash->treelist && pResHash->treelist->vlist) free(pResHash->treelist->vlist);
- if (pResHash->treelist) free(pResHash->treelist);
+ if (pResHash && pResHash->treelist && pResHash->treelist->vlist) free(pResHash->treelist->vlist);
+ if (pResHash && pResHash->treelist) free(pResHash->treelist);
if (pResHash) free(pResHash);
return NULL;
commit b95332620490521a66b248e7e3840507f86705a9
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 13:53:33 2010 -0700
Bug 630097 - (cov#15465) Null dereference in USN code
At the end of the for loop, be will be NULL if we never find a
valid be->be_usn_counter. This will cause us to dereference a
NULL pointer at the next if statement after the for loop. We
need to check if be is NULL before dereferencing it.
diff --git a/ldap/servers/plugins/usn/usn.c b/ldap/servers/plugins/usn/usn.c
index 914c7ac..4ad9e66 100644
--- a/ldap/servers/plugins/usn/usn.c
+++ b/ldap/servers/plugins/usn/usn.c
@@ -582,7 +582,7 @@ usn_rootdse_search(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter,
break;
}
}
- if (be->be_usn_counter) {
+ if (be && be->be_usn_counter) {
/* get a next USN counter from be_usn_counter;
* then minus 1 from it */
PR_snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" NSPRI64 "d",
commit 09653dc9d5719d171d71c2b92c9fe8bff94ed4b6
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 11:43:09 2010 -0700
Bug 630097 - (cov#15464) NULL dereference in repl code
If the attr parameter that is passed to my_ber_scanf_attr() is
NULL, we jump to the loser label where we clean up memory we may
have allocated. We dereference attr without first checking if it
is NULL in this clean-up code. We need to check if attr is NULL
before dereferencing it.
diff --git a/ldap/servers/plugins/replication/repl5_total.c b/ldap/servers/plugins/replication/repl5_total.c
index 5bf3742..d2987cd 100644
--- a/ldap/servers/plugins/replication/repl5_total.c
+++ b/ldap/servers/plugins/replication/repl5_total.c
@@ -689,7 +689,7 @@ my_ber_scanf_attr (BerElement *ber, Slapi_Attr **attr, PRBool *deleted)
return 0;
loser:
- if (*attr)
+ if (attr && *attr)
slapi_attr_free (attr);
if (value)
slapi_value_free (&value);
commit 30d6b1ea5c6a7f1f774bb86bea0d995cd9e45f20
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 11:27:44 2010 -0700
Bug 630097 - (cov#15463) Remove NULL check in referint plugin
Coverity believes that search_result_pb can be NULL since we check
if it is NULL before freeing the internal search results. If this
was true, there would be a NULL dereference issue when we call
slapi_pblock_get(). We are guaranteed that search_result_pb is
non-NULL after slapi_pblock_new() is called since the server would
exit if it was unable to allocate memory.
We should remove the NULL check before freeing the internal search
results.
diff --git a/ldap/servers/plugins/referint/referint.c b/ldap/servers/plugins/referint/referint.c
index 32249e9..e22a018 100644
--- a/ldap/servers/plugins/referint/referint.c
+++ b/ldap/servers/plugins/referint/referint.c
@@ -769,9 +769,7 @@ update_integrity(char **argv, char *origDN,
slapi_ch_free_string(&filter);
}
- if (search_result_pb) {
- slapi_free_search_results_internal(search_result_pb);
- }
+ slapi_free_search_results_internal(search_result_pb);
}
}
/* if got here, then everything good rc = 0 */
commit 94b265fb509ac194dec8e51b6d02f7fd88673aac
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 11:14:53 2010 -0700
Bug 630097 - (cov#15462) NULL dereference in mep_modrdn_post_op()
If we fail to fetch the postop entry for a modrdn operation in the
Managed Entry Plug-in, we end up passing a NULL pointer to
slapi_entry_attr_get_charptr(). This function dereferences the
entry without checking if it is NULL first. The mep_modrdn_post_op()
function should just return if we are unable to fetch the postop
entry.
I believe that this issue could trigger a crash when chain-on-update
is configured and a modrdn operation is chained. There is no postop
entry in this case.
diff --git a/ldap/servers/plugins/mep/mep.c b/ldap/servers/plugins/mep/mep.c
index 716b39b..c0ce013 100644
--- a/ldap/servers/plugins/mep/mep.c
+++ b/ldap/servers/plugins/mep/mep.c
@@ -2021,6 +2021,7 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
"mep_modrdn_post_op: Error "
"retrieving post-op entry\n");
+ return 0;
}
if ((old_dn = mep_get_dn(pb))) {
commit b28a60185cd54f149e77a1f34ffbfd676f5f2342
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 11:00:59 2010 -0700
Bug 630097 - (cov#15461) Remove unnecessary NULL check in DNA
It is not necessary to check if config_entry->types is NULL since
it is guaranteed to be non-NULL by dna_parse_config_entry() when
it creates config_entry. Coverity thinks that a NULL derefence is
possible since we are checking if config_entry->types is NULL. We
should remove this NULL check.
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index 837b674..e60f371 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -2861,7 +2861,7 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype)
if (LDAP_CHANGETYPE_ADD == modtype) {
- if (config_entry->types && dna_is_multitype_range(config_entry)) {
+ if (dna_is_multitype_range(config_entry)) {
/* For a multi-type range, we only generate a value
* for types where the magic value is set. We do not
* generate a value for missing types. */
commit a250d242395d089e7e8a2b2a3d07394eaa49d4d4
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 10:27:43 2010 -0700
Bug 630097 - (cov#15460) NULL deference in ACL URL code
When parsing a URL without a host or port present, we can
dereference a NULL pointer. We need to check if hostport is NULL
before dereferencing it.
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index a41487e..6271fb1 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -3598,7 +3598,7 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
normed = slapi_ch_smprintf("%s%s%s%s%s",
(prefix_len==LDAP_URL_prefix_len)?
LDAP_URL_prefix_core:LDAPS_URL_prefix_core,
- hostport, dn, p?"?":"",p?p+1:"");
+ hostport?hostport:"", dn, p?"?":"",p?p+1:"");
if (p) {
*p = Q; /* put the Q back in rawdn which will un-null terminate the DN part */
}
@@ -3606,7 +3606,7 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
/* dn was allocated in slapi_dn_normalize_ext */
slapi_ch_free_string(&dn);
}
- if ('/' != *hostport) {
+ if (hostport && ('/' != *hostport)) {
slapi_ch_free_string(&hostport);
}
rc = slapi_ldap_url_parse(normed, &ludp, 1, NULL);
commit b35cc7e0ff07244f8e4eb2a0a41435ce83174c39
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 09:21:36 2010 -0700
Bug 630097 - (cov#12182,12183) NULL dereference in import code
The entry pointer that is passed to slapi_entry_attr_find() is
dereferenced by that function without a check for NULL. We should
check if ep->ep_entry is NULL before calling slapi_entry_attr_find().
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index 1d49054..171be08 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -634,7 +634,7 @@ import_producer(void *param)
}
ep = import_make_backentry(e, id);
- if (!ep) {
+ if ((ep == NULL) || (ep->ep_entry == NULL)) {
slapi_entry_free(e);
goto error;
}
@@ -2734,7 +2734,7 @@ static int bulk_import_queue(ImportJob *job, Slapi_Entry *entry)
/* make into backentry */
ep = import_make_backentry(entry, id);
- if (!ep) {
+ if ((ep == NULL) || (ep->ep_entry == NULL)) {
import_abort_all(job, 1);
PR_Unlock(job->wire_lock);
return -1;
commit ff41170172f721a651eb3e00f676b7228f611b9d
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 08:35:47 2010 -0700
Bug 630097 - (cov#12148) NULL dereference in ruvInit()
We need to check if ruv is NULL before dereferencing it. The
assertion will not help us here in an optimized build, so an
explicit NULL check will keep us from crashing.
diff --git a/ldap/servers/plugins/replication/repl5_ruv.c b/ldap/servers/plugins/replication/repl5_ruv.c
index 78f7a53..d2917ac 100644
--- a/ldap/servers/plugins/replication/repl5_ruv.c
+++ b/ldap/servers/plugins/replication/repl5_ruv.c
@@ -1443,6 +1443,10 @@ ruvInit (RUV **ruv, int initCount)
{
PR_ASSERT (ruv);
+ if (ruv == NULL) {
+ return RUV_NSPR_ERROR;
+ }
+
/* allocate new RUV */
*ruv = (RUV *)slapi_ch_calloc (1, sizeof (RUV));
@@ -1457,9 +1461,7 @@ ruvInit (RUV **ruv, int initCount)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
"ruvInit: failed to create lock\n");
- if (*ruv) {
- dl_free(&(*ruv)->elements);
- }
+ dl_free(&(*ruv)->elements);
slapi_ch_free((void**)ruv);
return RUV_NSPR_ERROR;
}
commit 3571d7a5855cb1c222f83f98e03c340185e43152
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Mon Sep 13 15:05:52 2010 -0700
Bug 630097 - (cov#12143) NULL dereference in cos cache code
The tmpDn pointer is deferenced before checking if it is NULL. We
need to check if it is NULL first.
diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index fe8f534..e20fd0d 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -1383,7 +1383,7 @@ static int cos_cache_add_defn(
int ret = 0;
int tmplCount = 0;
cosDefinitions *theDef = 0;
- cosAttrValue *pTmpTmplDn = *tmpDn;
+ cosAttrValue *pTmpTmplDn = 0;
cosAttrValue *pDummyAttrVal = 0;
cosAttrValue *pAttrsIter = 0;
cosAttributes *pDummyAttributes = 0;
@@ -1396,9 +1396,15 @@ static int cos_cache_add_defn(
ret = -1;
goto out;
}
-
pSpecsIter = *spec;
+ if (!tmpDn) {
+ LDAPDebug( LDAP_DEBUG_ANY, "missing tmpDn\n",0,0,0);
+ ret = -1;
+ goto out;
+ }
+ pTmpTmplDn = *tmpDn;
+
/* we don't want cosspecifiers that can be supplied by the same scheme */
while( pSpecsIter )
{
commit 562f39848cdb2486d97cc730607337f7bd5e566c
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Mon Sep 13 14:56:16 2010 -0700
Bug 630097 - (cov#11964) Remove dead code from libaccess
The libaccess library has some dead functions it it. One of these
functions was flagged as having a NULL pointer dereference issue
by Coverity. The problem function is unused, so it should be removed.
There are also a number of other unused functions in the same source
file that should be removed.
diff --git a/lib/libaccess/acltools.cpp b/lib/libaccess/acltools.cpp
index 4e1274e..69d0c2e 100644
--- a/lib/libaccess/acltools.cpp
+++ b/lib/libaccess/acltools.cpp
@@ -1509,202 +1509,6 @@ Symbol_t *sym;
return(ACLERRUNDEF);
}
-/*
- * local function: translate string to lower case
- * return <0: fail
- * 0: succeed
- */
-int
-open_file_buf(FILE ** file, char * filename, char *mode, char ** buf, long * size)
-{
- int rv = 0;
- long cur = 0;
- long in = 0;
- struct stat fi;
-
- if (filename==NULL || mode==NULL) {
- rv = ACLERROPEN;
- goto open_cleanup;
- }
-
- if ((*file=fopen(filename,mode))==NULL) {
- rv = ACLERROPEN;
- goto open_cleanup;
- }
-
- if (system_stat(filename, &fi)==-1) {
- rv = ACLERROPEN;
- goto open_cleanup;
- }
-
- *size = fi.st_size;
-
- if ((*buf=(char *)PERM_MALLOC(*size+1))==NULL) {
- rv = ACLERRNOMEM;
- goto open_cleanup;
- }
-
-
- rv = 0;
- while (cur<*size) {
- in=fread(&(*buf)[cur], 1, *size, *file);
- cur = cur+in;
- if (feof(*file)) {
- break;
- }
- if (ferror(*file)) {
- rv = ACLERRIO;
- break;
- }
- }
- if (rv==0)
- (*buf)[cur] = 0;
-
-open_cleanup:
- if (rv<0) {
- if (*file)
- fclose(*file);
- if (*buf) {
- PERM_FREE(*buf);
- *buf = NULL;
- }
- }
- return rv;
-}
-
-
-/*
- * local function: writes buf to disk and close the file
- */
-void
-close_file_buf(FILE * file, char * filename, char * mode, char * buf)
-{
- if (file==NULL)
- return;
- fclose(file);
- if (strchr(mode, 'w')!=NULL || strchr(mode, 'a')!=NULL) {
- file = fopen(filename, "wb");
- fwrite(buf,1,strlen(buf),file);
- fclose(file);
- }
- if (*buf) {
- PERM_FREE(buf);
- }
-}
-
-
-/*
- * local function: translate string to lower case
- */
-char *
-str_tolower(char * string)
-{
- register char * p = string;
- for (; *p; p++)
- *p = tolower(*p);
- return string;
-}
-
-/*
- * local function: get the first name appear in block
- * return: 0 : not found,
- * 1 : found
- */
-int
-acl_get_first_name(char * block, char ** name, char ** next)
-{
- char bounds[] = "\t \"\';";
- char boundchar;
- char *p=NULL, *q=NULL, *start=NULL, *end=NULL;
-
- if (block==NULL)
- return 0;
-try_next:
- if ((p=strstr(block, "acl"))!=NULL) {
-
- // check if this "acl" is the first occurance in this line.
- for (q=p-1; ((q>=block) && *q!='\n'); q--) {
- if (strchr(" \t",*q)==NULL) {
- // if not, try next;
- block = p+3;
- goto try_next;
- }
- }
-
- p+=3;
- while (strchr(bounds,*p)&&(*p!=0))
- p++;
- if (*p==0)
- return 0;
- boundchar = *(p-1);
- start = p;
- while ((boundchar!=*p)&&(*p!=0)&&(*p!=';'))
- p++;
- if (*p==0)
- return 0;
- end = p;
- *name = (char *)PERM_MALLOC(end-start+1);
- strncpy(*name, start, (end-start));
- (*name)[end-start]=0;
- *next = end;
- return 1;
- }
- return 0;
-}
-
-/*
- * local function: find the pointer to acl string from the given block
- */
-char *
-acl_strstr(char * block, char * aclname)
-{
- const char set[] = "\t \"\';";
- char * name, * rstr = NULL;
- char * lowerb = block;
- int found = 0;
-
- if (block==NULL||aclname==NULL)
- return NULL;
-
- while ((name = strstr(block, aclname))!=NULL && !found) {
- if (name>lowerb) { // This should be true, just in case
- if ((strchr(set,name[-1])!=0) && (strchr(set,name[strlen(aclname)])!=0)) {
- // the other 2 sides are in boundary set, that means, this is an exact match.
- while (&name[-1]>=lowerb) {
- name --;
- if (strchr(set, *name)==0)
- break; // should point to 'l'
- }
-
- if (name==lowerb)
- return NULL;
-
- if ((name-2)>=lowerb)
- if ((name[-2]=='a') && (name[-1]=='c') && (*name=='l')) {
- name -= 2; // name point to 'a'
- rstr = name;
- while (TRUE) {
- if (name==lowerb) {
- found = 1;
- break;
- }
- else if (name[-1]==' '||name[-1]=='\t')
- name --;
- else if (name[-1]=='\n') {
- found = 1;
- break;
- }
- else
- break; // acl is not at the head, there are other chars.
- }
- }
- }
- block = name + strlen(aclname);
- }
- }
- return rstr;
-}
-
/*
* Destroy a NameList
commit 7c00bf728c3a8c20c08d76f66cccaf892c81a5f2
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Mon Sep 13 13:34:07 2010 -0700
Bug 630097 - (cov#11946) NULL dereference in ResHashCreate()
If we jump to the error label due to an error allocating memory
for pResHash->treelist, we try to do a free of
pResHash->treelist->vlist without checking if pResHash->treelist
is NULL. We need to perform this NULL check before dereferencing
pResHash->treelist.
diff --git a/lib/libsi18n/reshash.c b/lib/libsi18n/reshash.c
index 4c8e900..4134b2f 100644
--- a/lib/libsi18n/reshash.c
+++ b/lib/libsi18n/reshash.c
@@ -276,7 +276,7 @@ ResHash * ResHashCreate(char * name)
goto done;
error:
- if (pResHash->treelist->vlist) free(pResHash->treelist->vlist);
+ if (pResHash->treelist && pResHash->treelist->vlist) free(pResHash->treelist->vlist);
if (pResHash->treelist) free(pResHash->treelist);
if (pResHash) free(pResHash);
return NULL;
commit 243ba589c5a69a42bdae8459bd3e6d2e65853de8
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Mon Sep 13 13:50:42 2010 -0700
Bug 630097 - (cov#11938) NULL dereference in mmldif
There is a chance that we can deference a NULL pointer in the
mmldif code. If "(numb > tot_b)" is true, it is not guaranteed
that "a" is non-NULL. We need to check if "a" is NULL before
dereferencing it in the "(cmp < 0)" case.
diff --git a/ldap/servers/slapd/tools/mmldif.c b/ldap/servers/slapd/tools/mmldif.c
index 291702a..665452c 100644
--- a/ldap/servers/slapd/tools/mmldif.c
+++ b/ldap/servers/slapd/tools/mmldif.c
@@ -1086,7 +1086,7 @@ addmodified(FILE * edf3, attrib1_t * attrib, record_t * first)
} else {
cmp = stricmp(a->name, attribname(b));
}
- if (cmp < 0) {
+ if ((cmp < 0) && (a != NULL)) {
/* a < b: a is deleted */
attrname = a->name;
fprintf(edf3, "delete: %s\n-\n", attrname);
commit 839e52c73e04e782c8069fe9c9e1aeea0b73a1c0
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Mon Sep 13 09:20:21 2010 -0700
Bug 630097 - (cov#11933) Fix NULL dereference in schema code
There is a possibility of deferencing prevocp when it is NULL
the second time through the loop if the first pass was not a
standard objectclass definition and tmpocp != curlisthead.
I don't think that this issue is possible unless some other
thread was able to modify tmpocp->oc_next between where curlisthead
is set (schema.c:2654) and where nextocp is set (schema.c:2658) the
first time through the loop. That said, I see no harm in checking
if prevocp is NULL before attempting to dereference it.
diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
index 6e2fefe..14f3e76 100644
--- a/ldap/servers/slapd/schema.c
+++ b/ldap/servers/slapd/schema.c
@@ -2653,7 +2653,9 @@ clean_up_and_return:
if ( tmpocp == curlisthead ) {
curlisthead = tmpocp->oc_next;
} else {
- prevocp->oc_next = tmpocp->oc_next;
+ if (prevocp) {
+ prevocp->oc_next = tmpocp->oc_next;
+ }
}
nextocp = tmpocp->oc_next;
oc_free( &tmpocp );
13 years, 7 months