ldap/servers/slapd/back-ldbm/index.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 13e53f4655f4812f7412d333bb285c9d390a4a0f
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Thu Mar 24 16:02:00 2011 -0700
Bug 690649 - (cov#10731) Use of free'd pointer in indexing code
There is a very unlikely chance that we can use a free'd pointer
in the indexing code when attribute encryption is used and there is
a problem encrypting the index key. The bug requires debug logging
to be enabled as well as an attribute name longer than 255 chars to
be used.
We have a 256 byte buffer that we attempt to use to store the
attribute name. The call to slapi_attr_basetype() will try to fill
this buffer in, but it will malloc space if the buffer is too small.
The pointer to this allocated memory is basetmp, which will be NULL
if we just used the buffer. In the event that we do allocate memory,
basetype will point to the allocated memory, otherwise it will point
to the buffer.
At line 912, we free basetmp if it was allocated, yet we use
basetype for debug logging at line 922 (which points to the same
memory if we indeed allocated memory). We should just free basetmp
at the end of the function instead of at line 912. This will allow
us to use basetype safely at line 922.
diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
index 03ea5e4..5d2b499 100644
--- a/ldap/servers/slapd/back-ldbm/index.c
+++ b/ldap/servers/slapd/back-ldbm/index.c
@@ -909,7 +909,6 @@ index_read_ext(
slapi_ch_free_string( &basetmp );
return( NULL );
}
- slapi_ch_free_string( &basetmp );
if ( val != NULL ) {
size_t plen, vlen;
@@ -959,6 +958,7 @@ index_read_ext(
} else if ( *err != 0 && *err != DB_NOTFOUND ) {
ldbm_nasty(errmsg, 1050, *err);
}
+ slapi_ch_free_string( &basetmp );
slapi_ch_free_string(&tmpbuf);
dblayer_release_index_file( be, ai, db );
Show replies by date