>From b04bed10d690391a916437b48750d2bcbccdf7d6 Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Thu, 30 Jul 2009 15:29:19 -0700 Subject: [PATCH] Bug 514824: Fix double free in macro ACI code. If you have an ACI with multiple macros in it and the second attribtue does not exist in the entry you are bound as, the in-memory list used for macro substitution is free'd twice. The code swaps hands the charray it plans to return after substitution over to a working list, but it doesn't set the return list to NULL. When the second macro attribute is not found, the working list is free'd, yet the address is returned to the caller, who then tries to free the list a second time. The fix is to set the list to be returned to NULL when the memory is handed over to the working list. --- ldap/servers/plugins/acl/acllas.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c index e16fbd2..1cf4c37 100644 --- a/ldap/servers/plugins/acl/acllas.c +++ b/ldap/servers/plugins/acl/acllas.c @@ -4045,12 +4045,14 @@ acllas_replace_attr_macro( char *rule, lasInfo *lasinfo) { /* * Here, a is working_list, where each member has had - * macro_str replaced with attrVal. - */ + * macro_str replaced with attrVal. We hand a over, + * so we must set it to NULL since the working list + * may be free'd later. */ charray_free(working_list); working_list = a; working_rule = a[0]; + a = NULL; } slapi_ch_free((void **)¯o_str); slapi_ch_free((void **)¯o_attr_name); -- 1.6.2.5