[Date Prev][Date Next] [Chronological] [Thread] [Top]

Memory leak in ldap_build_search_req (ITS#331)

To: openldap-its@OpenLDAP.org
Subject: Memory leak in ldap_build_search_req (ITS#331)
From: yurir@3Cube.com
Date: Tue, 19 Oct 1999 23:32:45 GMT

Full_Name: Yuri Rabover
Version: 1.2.7
OS: FreeBSD, Solaris
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (206.86.147.19)


ldap_build_search_req (RCSID:1.4.2.3.2.2) at line 139 contains the
following piece of code:

		err = ber_printf( ber, "{it{seeiib", ++ld->ld_msgid,
		    LDAP_REQ_SEARCH, base, scope, ld->ld_deref,
		    ld->ld_sizelimit, ld->ld_timelimit, attrsonly );
#ifdef LDAP_CONNECTIONLESS
	}
#endif /* LDAP_CONNECTIONLESS */

	if ( err == -1 ) {
		ld->ld_errno = LDAP_ENCODING_ERROR;
		ber_free( ber, 1 );
		return( NULLBER );
	}

	filter = ldap_strdup( filter );
	err = put_filter( ber, filter );
	free( filter );

	if ( err  == -1 ) {
		ld->ld_errno = LDAP_FILTER_ERROR;
		ber_free( ber, 1 );
		return( NULLBER );
	}

	if ( ber_printf( ber, "{v}}}", attrs ) == -1 ) {
		ld->ld_errno = LDAP_ENCODING_ERROR;
		ber_free( ber, 1 );
		return( NULLBER );
	}

	return( ber );

The first ber_printf starts the new sequence by calling ber_start_seq
and allocates a chunk of memory for it in ber_start_seqorset. This memory is
normally freed in the closing ber_printf(ber, "{v}}}"...). But if put_filter
fails with an error (for example, because of the invalid filter spec), the
closing ber_printf is never called and this memory is never freed. It results
in a memory leak of 48 bytes per ldap_search with an invalid filter.

The possible fix might be to check the validity of the filter BEFORE
starting the sequence.

Prev by Date: RE: Problems with Password Encryption (ITS#292)
Next by Date: Possible missing send_ldap_result in ldbm_back_modify 1.2.7
Index(es):
- Chronological
- Thread