[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#4873) ACL set memory corruption and leak
Full_Name: Rein Tollevik
Version: 2.3.34
OS: Solaris 8
URL:
Submission from: (NULL) (81.93.160.250)
The fix for ITS#4780 seem to have introduced a memory corruption when ACL sets
are used, it causes memory that is still in use to be freed after two sets are
or'ed. Furthermore, the fix only frees the value in the first element of a
multi-element set, i.e it still leaks memory when the values should be
released.
Our servers started to seg. faulting shortly after we upgraded from version
2.3.19 to 2.3.34, but have stayed alive after the patched included below was
applied.
Rein Tollevik
Basefarm AS
Index: servers/slapd/sets.c
===================================================================
RCS file: /f/CVSROOT/drift/OpenLDAP/servers/slapd/sets.c,v
retrieving revision 1.1.1.10
retrieving revision 1.13
diff -u -u -w -r1.1.1.10 -r1.13
--- servers/slapd/sets.c 5 Jan 2007 09:02:42 -0000 1.1.1.10
+++ servers/slapd/sets.c 13 Mar 2007 11:35:18 -0000 1.13
@@ -181,6 +181,12 @@
}
}
BER_BVZERO( &set[ last ] );
+
+ /* We have already copied, duplicated or freed
+ * the values in lset and rset, so don't free
+ * them again!
+ */
+ op_flags |= SLAP_SET_LREFVAL|SLAP_SET_RREFVAL;
}
break;
@@ -264,21 +270,14 @@
}
done:;
- if ( !( op_flags & SLAP_SET_LREFARR ) && lset != NULL ) {
- if ( !( op_flags & SLAP_SET_LREFVAL ))
- cp->set_op->o_tmpfree( lset->bv_val, cp->set_op->o_tmpmemctx );
- cp->set_op->o_tmpfree( lset, cp->set_op->o_tmpmemctx );
- }
-
- if ( !( op_flags & SLAP_SET_RREFARR ) && rset != NULL ) {
- if ( !( op_flags & SLAP_SET_RREFVAL ))
- cp->set_op->o_tmpfree( rset->bv_val, cp->set_op->o_tmpmemctx );
- cp->set_op->o_tmpfree( rset, cp->set_op->o_tmpmemctx );
- }
+ if ( lset != NULL )
+ slap_set_dispose( cp, lset, SLAP_SET_LREF2REF( op_flags ));
+ if ( rset != NULL )
+ slap_set_dispose( cp, rset, SLAP_SET_RREF2REF( op_flags ));
return set;
}
static BerVarray
set_chase( SLAP_SET_GATHER gatherer,