ldap/servers/plugins/acl/acllas.c | 4
ldap/servers/plugins/cos/cos_cache.c | 10 +
ldap/servers/plugins/dna/dna.c | 2
ldap/servers/plugins/memberof/memberof.c | 8 -
ldap/servers/plugins/mep/mep.c | 1
ldap/servers/plugins/referint/referint.c | 4
ldap/servers/plugins/replication/repl5_ruv.c | 8 -
ldap/servers/plugins/replication/repl5_total.c | 2
ldap/servers/plugins/usn/usn.c | 2
ldap/servers/slapd/back-ldbm/dbhelp.c | 8 -
ldap/servers/slapd/back-ldbm/import-threads.c | 4
ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c | 7
ldap/servers/slapd/schema.c | 4
ldap/servers/slapd/tools/mmldif.c | 2
ldap/systools/idsktune.c | 5
lib/libaccess/acltools.cpp | 196 -------------------------
lib/libsi18n/reshash.c | 4
17 files changed, 49 insertions(+), 222 deletions(-)
New commits:
commit 55f94d2a6a4310bd1cd6bacc71fc4ce50b75a9fa
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Wed Sep 15 08:55:22 2010 -0700
Bug 630097 - (cov#15509) NULL dereference in idsktune
If strdup() fails, the cmd variable will be NULL. We dereference
it without checking it strdup() was successful. We should check
if cmd is NULL before dereferencing it.
diff --git a/ldap/systools/idsktune.c b/ldap/systools/idsktune.c
index cd4934d..40f1cf5 100644
--- a/ldap/systools/idsktune.c
+++ b/ldap/systools/idsktune.c
@@ -1108,6 +1108,11 @@ linux_check_release(void)
char osl[128];
char *cmd = strdup("/bin/uname -r");
+ if (cmd == NULL) {
+ printf("ERROR: Unable to allocate memory\n");
+ goto done;
+ }
+
if (flag_html) printf("<P>\n");
if (flag_debug) printf("DEBUG : %s\n",cmd);
fp = popen(cmd,"r");
commit 672f38f84a545678c7c84dfd723de292903ee19a
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Wed Sep 15 08:50:31 2010 -0700
Bug 630097 - (cov#15507,15508) NULL dereference in entryrdn code
In entryrdn_compare_dups(), we dereference the a and b parameters
when initializing the elem_a and elem_b variables. We later
perform NULL checks on both a and b, but a NULL would have
triggered a crash. We should not dereference a or b until after
the NULL checks are performed.
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
index 2077999..f3474fa 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
@@ -173,8 +173,8 @@ entryrdn_get_noancestorid()
int
entryrdn_compare_dups(DB *db, const DBT *a, const DBT *b)
{
- rdn_elem *elem_a = (rdn_elem *)a->data;
- rdn_elem *elem_b = (rdn_elem *)b->data;
+ rdn_elem *elem_a = NULL;
+ rdn_elem *elem_b = NULL;
int delta = 0;
if (NULL == a) {
@@ -187,6 +187,9 @@ entryrdn_compare_dups(DB *db, const DBT *a, const DBT *b)
return 1;
}
+ elem_a = (rdn_elem *)a->data;
+ elem_b = (rdn_elem *)b->data;
+
delta = strcmp((char *)elem_a->rdn_elem_nrdn_rdn,
(char *)elem_b->rdn_elem_nrdn_rdn);
commit f78a37579df8f9c60b4742019231b0dfa49a87a9
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Wed Sep 15 08:28:17 2010 -0700
Bug 630097 - (cov#15506) NULL dereference in dblayer code
The first parameter of dblayer_set_env_debugging() is dereferenced
inside of that function without NULL checking. We pass the env
variable to this function without first checking if it is NULL.
We should move the existing NULL check of env up to the top of the
dblayer_copy_file_keybybey() function.
diff --git a/ldap/servers/slapd/back-ldbm/dbhelp.c
b/ldap/servers/slapd/back-ldbm/dbhelp.c
index f1f232a..93a0de8 100644
--- a/ldap/servers/slapd/back-ldbm/dbhelp.c
+++ b/ldap/servers/slapd/back-ldbm/dbhelp.c
@@ -65,15 +65,15 @@ static int dblayer_copy_file_keybykey(DB_ENV *env, char
*source_file_name, char
LDAPDebug( LDAP_DEBUG_TRACE, "=> dblayer_copy_file_keybykey\n", 0, 0, 0 );
- if (priv->dblayer_file_mode)
- mode = priv->dblayer_file_mode;
- dblayer_set_env_debugging(env, priv);
-
if (!env) {
LDAPDebug(LDAP_DEBUG_ANY, "dblayer_copy_file_keybykey, Out of memory\n", 0,
0, 0);
goto error;
}
+ if (priv->dblayer_file_mode)
+ mode = priv->dblayer_file_mode;
+ dblayer_set_env_debugging(env, priv);
+
/* Open the source file */
retval = db_create(&source_file, env, 0);
if (retval) {
commit 6319623ea54435610f573e1a1d7b9bbe7b16e878
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 15:45:04 2010 -0700
Bug 630097 - (cov#15505) NULL dereference in memberOf code
The config parameter is dereferenced before checking if it is NULL
early in memberof_modop_one_replace_r(). Later in the function,
we first check if config is NULL before dereferencing it. We
should check if config is NULL at the beginning of the function
and bail out before we dereference it.
diff --git a/ldap/servers/plugins/memberof/memberof.c
b/ldap/servers/plugins/memberof/memberof.c
index 5294892..50da09a 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -980,6 +980,12 @@ int memberof_modop_one_replace_r(Slapi_PBlock *pb, MemberOfConfig
*config,
Slapi_Value *to_dn_val = slapi_value_new_string(op_to);
Slapi_Value *this_dn_val = slapi_value_new_string(op_this);
+ if (config == NULL) {
+ slapi_log_error( SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM,
+ "memberof_modop_one_replace_r: NULL config parameter");
+ goto bail;
+ }
+
/* determine if this is a group op or single entry */
op_to_sdn = slapi_sdn_new_dn_byref(op_to);
slapi_search_internal_get_entry( op_to_sdn, config->groupattrs,
@@ -1076,7 +1082,7 @@ int memberof_modop_one_replace_r(Slapi_PBlock *pb, MemberOfConfig
*config,
"memberof_modop_one_replace_r: %s %s in %s\n"
,op_str, op_this, op_to);
- if(config && config->group_filter && !slapi_filter_test_simple(e,
config->group_filter))
+ if(config->group_filter && !slapi_filter_test_simple(e,
config->group_filter))
{
/* group */
Slapi_Value *ll_dn_val = 0;
commit 50df94f549ae75669c071e610d08ffa9ed9e841c
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 14:53:43 2010 -0700
Bug 630097 - (cov#15473) NULL dereference in ResHashCreate()
If there is a problem allocating pResHash, we jump to the error
label. The error label then dereferences pResHash to do a deep
free, but it doesn't check if pResHash is NULL first. We need to
check if pResHash is NULL before dereferencing it.
diff --git a/lib/libsi18n/reshash.c b/lib/libsi18n/reshash.c
index 4134b2f..6e3572f 100644
--- a/lib/libsi18n/reshash.c
+++ b/lib/libsi18n/reshash.c
@@ -276,8 +276,8 @@ ResHash * ResHashCreate(char * name)
goto done;
error:
- if (pResHash->treelist && pResHash->treelist->vlist)
free(pResHash->treelist->vlist);
- if (pResHash->treelist) free(pResHash->treelist);
+ if (pResHash && pResHash->treelist &&
pResHash->treelist->vlist) free(pResHash->treelist->vlist);
+ if (pResHash && pResHash->treelist) free(pResHash->treelist);
if (pResHash) free(pResHash);
return NULL;
commit b95332620490521a66b248e7e3840507f86705a9
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 13:53:33 2010 -0700
Bug 630097 - (cov#15465) Null dereference in USN code
At the end of the for loop, be will be NULL if we never find a
valid be->be_usn_counter. This will cause us to dereference a
NULL pointer at the next if statement after the for loop. We
need to check if be is NULL before dereferencing it.
diff --git a/ldap/servers/plugins/usn/usn.c b/ldap/servers/plugins/usn/usn.c
index 914c7ac..4ad9e66 100644
--- a/ldap/servers/plugins/usn/usn.c
+++ b/ldap/servers/plugins/usn/usn.c
@@ -582,7 +582,7 @@ usn_rootdse_search(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry*
entryAfter,
break;
}
}
- if (be->be_usn_counter) {
+ if (be && be->be_usn_counter) {
/* get a next USN counter from be_usn_counter;
* then minus 1 from it */
PR_snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" NSPRI64
"d",
commit 09653dc9d5719d171d71c2b92c9fe8bff94ed4b6
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 11:43:09 2010 -0700
Bug 630097 - (cov#15464) NULL dereference in repl code
If the attr parameter that is passed to my_ber_scanf_attr() is
NULL, we jump to the loser label where we clean up memory we may
have allocated. We dereference attr without first checking if it
is NULL in this clean-up code. We need to check if attr is NULL
before dereferencing it.
diff --git a/ldap/servers/plugins/replication/repl5_total.c
b/ldap/servers/plugins/replication/repl5_total.c
index 5bf3742..d2987cd 100644
--- a/ldap/servers/plugins/replication/repl5_total.c
+++ b/ldap/servers/plugins/replication/repl5_total.c
@@ -689,7 +689,7 @@ my_ber_scanf_attr (BerElement *ber, Slapi_Attr **attr, PRBool
*deleted)
return 0;
loser:
- if (*attr)
+ if (attr && *attr)
slapi_attr_free (attr);
if (value)
slapi_value_free (&value);
commit 30d6b1ea5c6a7f1f774bb86bea0d995cd9e45f20
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 11:27:44 2010 -0700
Bug 630097 - (cov#15463) Remove NULL check in referint plugin
Coverity believes that search_result_pb can be NULL since we check
if it is NULL before freeing the internal search results. If this
was true, there would be a NULL dereference issue when we call
slapi_pblock_get(). We are guaranteed that search_result_pb is
non-NULL after slapi_pblock_new() is called since the server would
exit if it was unable to allocate memory.
We should remove the NULL check before freeing the internal search
results.
diff --git a/ldap/servers/plugins/referint/referint.c
b/ldap/servers/plugins/referint/referint.c
index 32249e9..e22a018 100644
--- a/ldap/servers/plugins/referint/referint.c
+++ b/ldap/servers/plugins/referint/referint.c
@@ -769,9 +769,7 @@ update_integrity(char **argv, char *origDN,
slapi_ch_free_string(&filter);
}
- if (search_result_pb) {
- slapi_free_search_results_internal(search_result_pb);
- }
+ slapi_free_search_results_internal(search_result_pb);
}
}
/* if got here, then everything good rc = 0 */
commit 94b265fb509ac194dec8e51b6d02f7fd88673aac
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 11:14:53 2010 -0700
Bug 630097 - (cov#15462) NULL dereference in mep_modrdn_post_op()
If we fail to fetch the postop entry for a modrdn operation in the
Managed Entry Plug-in, we end up passing a NULL pointer to
slapi_entry_attr_get_charptr(). This function dereferences the
entry without checking if it is NULL first. The mep_modrdn_post_op()
function should just return if we are unable to fetch the postop
entry.
I believe that this issue could trigger a crash when chain-on-update
is configured and a modrdn operation is chained. There is no postop
entry in this case.
diff --git a/ldap/servers/plugins/mep/mep.c b/ldap/servers/plugins/mep/mep.c
index 716b39b..c0ce013 100644
--- a/ldap/servers/plugins/mep/mep.c
+++ b/ldap/servers/plugins/mep/mep.c
@@ -2021,6 +2021,7 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
"mep_modrdn_post_op: Error "
"retrieving post-op entry\n");
+ return 0;
}
if ((old_dn = mep_get_dn(pb))) {
commit b28a60185cd54f149e77a1f34ffbfd676f5f2342
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 11:00:59 2010 -0700
Bug 630097 - (cov#15461) Remove unnecessary NULL check in DNA
It is not necessary to check if config_entry->types is NULL since
it is guaranteed to be non-NULL by dna_parse_config_entry() when
it creates config_entry. Coverity thinks that a NULL derefence is
possible since we are checking if config_entry->types is NULL. We
should remove this NULL check.
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index 837b674..e60f371 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -2861,7 +2861,7 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype)
if (LDAP_CHANGETYPE_ADD == modtype) {
- if (config_entry->types &&
dna_is_multitype_range(config_entry)) {
+ if (dna_is_multitype_range(config_entry)) {
/* For a multi-type range, we only generate a value
* for types where the magic value is set. We do not
* generate a value for missing types. */
commit a250d242395d089e7e8a2b2a3d07394eaa49d4d4
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 10:27:43 2010 -0700
Bug 630097 - (cov#15460) NULL deference in ACL URL code
When parsing a URL without a host or port present, we can
dereference a NULL pointer. We need to check if hostport is NULL
before dereferencing it.
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index a41487e..6271fb1 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -3598,7 +3598,7 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char
*n_clientdn, char *url
normed = slapi_ch_smprintf("%s%s%s%s%s",
(prefix_len==LDAP_URL_prefix_len)?
LDAP_URL_prefix_core:LDAPS_URL_prefix_core,
- hostport, dn, p?"?":"",p?p+1:"");
+ hostport?hostport:"", dn,
p?"?":"",p?p+1:"");
if (p) {
*p = Q; /* put the Q back in rawdn which will un-null terminate the DN part */
}
@@ -3606,7 +3606,7 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char
*n_clientdn, char *url
/* dn was allocated in slapi_dn_normalize_ext */
slapi_ch_free_string(&dn);
}
- if ('/' != *hostport) {
+ if (hostport && ('/' != *hostport)) {
slapi_ch_free_string(&hostport);
}
rc = slapi_ldap_url_parse(normed, &ludp, 1, NULL);
commit b35cc7e0ff07244f8e4eb2a0a41435ce83174c39
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 09:21:36 2010 -0700
Bug 630097 - (cov#12182,12183) NULL dereference in import code
The entry pointer that is passed to slapi_entry_attr_find() is
dereferenced by that function without a check for NULL. We should
check if ep->ep_entry is NULL before calling slapi_entry_attr_find().
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c
b/ldap/servers/slapd/back-ldbm/import-threads.c
index 1d49054..171be08 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -634,7 +634,7 @@ import_producer(void *param)
}
ep = import_make_backentry(e, id);
- if (!ep) {
+ if ((ep == NULL) || (ep->ep_entry == NULL)) {
slapi_entry_free(e);
goto error;
}
@@ -2734,7 +2734,7 @@ static int bulk_import_queue(ImportJob *job, Slapi_Entry *entry)
/* make into backentry */
ep = import_make_backentry(entry, id);
- if (!ep) {
+ if ((ep == NULL) || (ep->ep_entry == NULL)) {
import_abort_all(job, 1);
PR_Unlock(job->wire_lock);
return -1;
commit ff41170172f721a651eb3e00f676b7228f611b9d
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Sep 14 08:35:47 2010 -0700
Bug 630097 - (cov#12148) NULL dereference in ruvInit()
We need to check if ruv is NULL before dereferencing it. The
assertion will not help us here in an optimized build, so an
explicit NULL check will keep us from crashing.
diff --git a/ldap/servers/plugins/replication/repl5_ruv.c
b/ldap/servers/plugins/replication/repl5_ruv.c
index 78f7a53..d2917ac 100644
--- a/ldap/servers/plugins/replication/repl5_ruv.c
+++ b/ldap/servers/plugins/replication/repl5_ruv.c
@@ -1443,6 +1443,10 @@ ruvInit (RUV **ruv, int initCount)
{
PR_ASSERT (ruv);
+ if (ruv == NULL) {
+ return RUV_NSPR_ERROR;
+ }
+
/* allocate new RUV */
*ruv = (RUV *)slapi_ch_calloc (1, sizeof (RUV));
@@ -1457,9 +1461,7 @@ ruvInit (RUV **ruv, int initCount)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
"ruvInit: failed to create lock\n");
- if (*ruv) {
- dl_free(&(*ruv)->elements);
- }
+ dl_free(&(*ruv)->elements);
slapi_ch_free((void**)ruv);
return RUV_NSPR_ERROR;
}
commit 3571d7a5855cb1c222f83f98e03c340185e43152
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Mon Sep 13 15:05:52 2010 -0700
Bug 630097 - (cov#12143) NULL dereference in cos cache code
The tmpDn pointer is deferenced before checking if it is NULL. We
need to check if it is NULL first.
diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index fe8f534..e20fd0d 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -1383,7 +1383,7 @@ static int cos_cache_add_defn(
int ret = 0;
int tmplCount = 0;
cosDefinitions *theDef = 0;
- cosAttrValue *pTmpTmplDn = *tmpDn;
+ cosAttrValue *pTmpTmplDn = 0;
cosAttrValue *pDummyAttrVal = 0;
cosAttrValue *pAttrsIter = 0;
cosAttributes *pDummyAttributes = 0;
@@ -1396,9 +1396,15 @@ static int cos_cache_add_defn(
ret = -1;
goto out;
}
-
pSpecsIter = *spec;
+ if (!tmpDn) {
+ LDAPDebug( LDAP_DEBUG_ANY, "missing tmpDn\n",0,0,0);
+ ret = -1;
+ goto out;
+ }
+ pTmpTmplDn = *tmpDn;
+
/* we don't want cosspecifiers that can be supplied by the same scheme */
while( pSpecsIter )
{
commit 562f39848cdb2486d97cc730607337f7bd5e566c
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Mon Sep 13 14:56:16 2010 -0700
Bug 630097 - (cov#11964) Remove dead code from libaccess
The libaccess library has some dead functions it it. One of these
functions was flagged as having a NULL pointer dereference issue
by Coverity. The problem function is unused, so it should be removed.
There are also a number of other unused functions in the same source
file that should be removed.
diff --git a/lib/libaccess/acltools.cpp b/lib/libaccess/acltools.cpp
index 4e1274e..69d0c2e 100644
--- a/lib/libaccess/acltools.cpp
+++ b/lib/libaccess/acltools.cpp
@@ -1509,202 +1509,6 @@ Symbol_t *sym;
return(ACLERRUNDEF);
}
-/*
- * local function: translate string to lower case
- * return <0: fail
- * 0: succeed
- */
-int
-open_file_buf(FILE ** file, char * filename, char *mode, char ** buf, long * size)
-{
- int rv = 0;
- long cur = 0;
- long in = 0;
- struct stat fi;
-
- if (filename==NULL || mode==NULL) {
- rv = ACLERROPEN;
- goto open_cleanup;
- }
-
- if ((*file=fopen(filename,mode))==NULL) {
- rv = ACLERROPEN;
- goto open_cleanup;
- }
-
- if (system_stat(filename, &fi)==-1) {
- rv = ACLERROPEN;
- goto open_cleanup;
- }
-
- *size = fi.st_size;
-
- if ((*buf=(char *)PERM_MALLOC(*size+1))==NULL) {
- rv = ACLERRNOMEM;
- goto open_cleanup;
- }
-
-
- rv = 0;
- while (cur<*size) {
- in=fread(&(*buf)[cur], 1, *size, *file);
- cur = cur+in;
- if (feof(*file)) {
- break;
- }
- if (ferror(*file)) {
- rv = ACLERRIO;
- break;
- }
- }
- if (rv==0)
- (*buf)[cur] = 0;
-
-open_cleanup:
- if (rv<0) {
- if (*file)
- fclose(*file);
- if (*buf) {
- PERM_FREE(*buf);
- *buf = NULL;
- }
- }
- return rv;
-}
-
-
-/*
- * local function: writes buf to disk and close the file
- */
-void
-close_file_buf(FILE * file, char * filename, char * mode, char * buf)
-{
- if (file==NULL)
- return;
- fclose(file);
- if (strchr(mode, 'w')!=NULL || strchr(mode, 'a')!=NULL) {
- file = fopen(filename, "wb");
- fwrite(buf,1,strlen(buf),file);
- fclose(file);
- }
- if (*buf) {
- PERM_FREE(buf);
- }
-}
-
-
-/*
- * local function: translate string to lower case
- */
-char *
-str_tolower(char * string)
-{
- register char * p = string;
- for (; *p; p++)
- *p = tolower(*p);
- return string;
-}
-
-/*
- * local function: get the first name appear in block
- * return: 0 : not found,
- * 1 : found
- */
-int
-acl_get_first_name(char * block, char ** name, char ** next)
-{
- char bounds[] = "\t \"\';";
- char boundchar;
- char *p=NULL, *q=NULL, *start=NULL, *end=NULL;
-
- if (block==NULL)
- return 0;
-try_next:
- if ((p=strstr(block, "acl"))!=NULL) {
-
- // check if this "acl" is the first occurance in this line.
- for (q=p-1; ((q>=block) && *q!='\n'); q--) {
- if (strchr(" \t",*q)==NULL) {
- // if not, try next;
- block = p+3;
- goto try_next;
- }
- }
-
- p+=3;
- while (strchr(bounds,*p)&&(*p!=0))
- p++;
- if (*p==0)
- return 0;
- boundchar = *(p-1);
- start = p;
- while ((boundchar!=*p)&&(*p!=0)&&(*p!=';'))
- p++;
- if (*p==0)
- return 0;
- end = p;
- *name = (char *)PERM_MALLOC(end-start+1);
- strncpy(*name, start, (end-start));
- (*name)[end-start]=0;
- *next = end;
- return 1;
- }
- return 0;
-}
-
-/*
- * local function: find the pointer to acl string from the given block
- */
-char *
-acl_strstr(char * block, char * aclname)
-{
- const char set[] = "\t \"\';";
- char * name, * rstr = NULL;
- char * lowerb = block;
- int found = 0;
-
- if (block==NULL||aclname==NULL)
- return NULL;
-
- while ((name = strstr(block, aclname))!=NULL && !found) {
- if (name>lowerb) { // This should be true, just in case
- if ((strchr(set,name[-1])!=0) && (strchr(set,name[strlen(aclname)])!=0)) {
- // the other 2 sides are in boundary set, that means, this is an exact match.
- while (&name[-1]>=lowerb) {
- name --;
- if (strchr(set, *name)==0)
- break; // should point to 'l'
- }
-
- if (name==lowerb)
- return NULL;
-
- if ((name-2)>=lowerb)
- if ((name[-2]=='a') && (name[-1]=='c') &&
(*name=='l')) {
- name -= 2; // name point to 'a'
- rstr = name;
- while (TRUE) {
- if (name==lowerb) {
- found = 1;
- break;
- }
- else if (name[-1]==' '||name[-1]=='\t')
- name --;
- else if (name[-1]=='\n') {
- found = 1;
- break;
- }
- else
- break; // acl is not at the head, there are other chars.
- }
- }
- }
- block = name + strlen(aclname);
- }
- }
- return rstr;
-}
-
/*
* Destroy a NameList
commit 7c00bf728c3a8c20c08d76f66cccaf892c81a5f2
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Mon Sep 13 13:34:07 2010 -0700
Bug 630097 - (cov#11946) NULL dereference in ResHashCreate()
If we jump to the error label due to an error allocating memory
for pResHash->treelist, we try to do a free of
pResHash->treelist->vlist without checking if pResHash->treelist
is NULL. We need to perform this NULL check before dereferencing
pResHash->treelist.
diff --git a/lib/libsi18n/reshash.c b/lib/libsi18n/reshash.c
index 4c8e900..4134b2f 100644
--- a/lib/libsi18n/reshash.c
+++ b/lib/libsi18n/reshash.c
@@ -276,7 +276,7 @@ ResHash * ResHashCreate(char * name)
goto done;
error:
- if (pResHash->treelist->vlist) free(pResHash->treelist->vlist);
+ if (pResHash->treelist && pResHash->treelist->vlist)
free(pResHash->treelist->vlist);
if (pResHash->treelist) free(pResHash->treelist);
if (pResHash) free(pResHash);
return NULL;
commit 243ba589c5a69a42bdae8459bd3e6d2e65853de8
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Mon Sep 13 13:50:42 2010 -0700
Bug 630097 - (cov#11938) NULL dereference in mmldif
There is a chance that we can deference a NULL pointer in the
mmldif code. If "(numb > tot_b)" is true, it is not guaranteed
that "a" is non-NULL. We need to check if "a" is NULL before
dereferencing it in the "(cmp < 0)" case.
diff --git a/ldap/servers/slapd/tools/mmldif.c b/ldap/servers/slapd/tools/mmldif.c
index 291702a..665452c 100644
--- a/ldap/servers/slapd/tools/mmldif.c
+++ b/ldap/servers/slapd/tools/mmldif.c
@@ -1086,7 +1086,7 @@ addmodified(FILE * edf3, attrib1_t * attrib, record_t * first)
} else {
cmp = stricmp(a->name, attribname(b));
}
- if (cmp < 0) {
+ if ((cmp < 0) && (a != NULL)) {
/* a < b: a is deleted */
attrname = a->name;
fprintf(edf3, "delete: %s\n-\n", attrname);
commit 839e52c73e04e782c8069fe9c9e1aeea0b73a1c0
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Mon Sep 13 09:20:21 2010 -0700
Bug 630097 - (cov#11933) Fix NULL dereference in schema code
There is a possibility of deferencing prevocp when it is NULL
the second time through the loop if the first pass was not a
standard objectclass definition and tmpocp != curlisthead.
I don't think that this issue is possible unless some other
thread was able to modify tmpocp->oc_next between where curlisthead
is set (schema.c:2654) and where nextocp is set (schema.c:2658) the
first time through the loop. That said, I see no harm in checking
if prevocp is NULL before attempting to dereference it.
diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
index 6e2fefe..14f3e76 100644
--- a/ldap/servers/slapd/schema.c
+++ b/ldap/servers/slapd/schema.c
@@ -2653,7 +2653,9 @@ clean_up_and_return:
if ( tmpocp == curlisthead ) {
curlisthead = tmpocp->oc_next;
} else {
- prevocp->oc_next = tmpocp->oc_next;
+ if (prevocp) {
+ prevocp->oc_next = tmpocp->oc_next;
+ }
}
nextocp = tmpocp->oc_next;
oc_free( &tmpocp );