ldap/servers/plugins/uiduniq/uid.c | 4 ++-- ldap/servers/slapd/fedse.c | 12 +++++++++--- 2 files changed, 11 insertions(+), 5 deletions(-)
New commits: commit 31c0425599b13e492cdadff5ea64da6e1696b6bc Author: William Brown william@blackhats.net.au Date: Wed Sep 28 11:16:38 2016 +1000
Ticket 48982 - Enabling a plugin that has a versioned so causes overflow
Bug Description: Enabling a plugin that has a versioned.so causes overflow. This is becuase we assumed that all plugins are "libname.so", and were not symlinks. So we used a fixed size buffer to realpath.
Fix Description: Realpath can dynamically allocate the correct size buffer for the resolved path, so we use that. Additionally, we need to use "free" instead because realpath uses malloc not slapi_ch_malloc.
https://fedorahosted.org/389/ticket/48982
Author: wibrown
Reviewed by: nhosoi (Thanks so much!)
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c index a7c2a0e..6988521 100644 --- a/ldap/servers/slapd/fedse.c +++ b/ldap/servers/slapd/fedse.c @@ -1956,8 +1956,13 @@ check_plugin_path(Slapi_PBlock *pb, } else { /* relative path */ full_path = slapi_get_plugin_name(PLUGINDIR, vals[j]); } - resolved_path = slapi_ch_malloc(strlen(full_path) + 1); - res = realpath( full_path, resolved_path ); + /* + * See man 3 realpath. We have to pass in NULL here, because we don't + * know if the library is versioned, it could be *any* length when + * resolved. The quirk is that this uses malloc, not slapi_ch_malloc, + * so we need to free res with free() only! + */ + res = realpath( full_path, NULL ); if (res) { if ((handle = dlopen(res, RTLD_NOW)) == NULL) { *returncode = LDAP_UNWILLING_TO_PERFORM; @@ -1972,7 +1977,8 @@ check_plugin_path(Slapi_PBlock *pb, rc = SLAPI_DSE_CALLBACK_ERROR; } slapi_ch_free_string(&full_path); - slapi_ch_free_string(&resolved_path); + /* See comment above. Must free res from realpath with free() only! */ + free(res); } slapi_ch_array_free(vals);
commit ffda694dd622b31277da07be76d3469fad86150f Author: William Brown william@blackhats.net.au Date: Wed Sep 28 10:46:21 2016 +1000
Ticket 48986 - 47808 triggers overflow in uiduniq.c
Bug Description: Certain configurations of uiduniq.c would cause an overflow when running with Address Sanitiser
Fix Description: Increase the size of the allocation to tmp_config->attrs.
https://fedorahosted.org/389/ticket/48986
Author: nhosoi
Reviewed by: wibrown
diff --git a/ldap/servers/plugins/uiduniq/uid.c b/ldap/servers/plugins/uiduniq/uid.c index d1d0162..2aba17a 100644 --- a/ldap/servers/plugins/uiduniq/uid.c +++ b/ldap/servers/plugins/uiduniq/uid.c @@ -302,7 +302,7 @@ uniqueness_entry_to_config(Slapi_PBlock *pb, Slapi_Entry *config_entry) }
/* Store attrName in the config */ - tmp_config->attrs = (const char **) slapi_ch_calloc(1, sizeof(char *)); + tmp_config->attrs = (const char **) slapi_ch_calloc(2, sizeof(char *)); tmp_config->attrs[0] = slapi_ch_strdup(attrName); argc--; argv++; /* First argument was attribute name and remaining are subtrees */ @@ -345,7 +345,7 @@ uniqueness_entry_to_config(Slapi_PBlock *pb, Slapi_Entry *config_entry) * - requiredObjectClass */ /* Store attrName in the config */ - tmp_config->attrs = (const char **) slapi_ch_calloc(1, sizeof(char *)); + tmp_config->attrs = (const char **) slapi_ch_calloc(2, sizeof(char *)); tmp_config->attrs[0] = slapi_ch_strdup(attrName);
/* There is no subtrees */
389-commits@lists.fedoraproject.org