[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6793) Bad free in back-ldap when matchedDN changes

To: openldap-its@OpenLDAP.org
Subject: (ITS#6793) Bad free in back-ldap when matchedDN changes
From: h.b.furuseth@usit.uio.no
Date: Mon, 17 Jan 2011 09:52:59 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Hallvard B Furuseth
Version: RE24, HEAD
OS: Linux x86_64
URL: 
Submission from: (NULL) (129.240.6.233)
Submitted by: hallvard


ldap_back_search() can free rs->sr_matched after sending it.  That
breaks if something replaced rs->sr_matched during send_ldap_result().

Fixing to keep the matchedDN to free in a local variable.  (Could have
used REP_MATCHED_MUSTBEFREED, but might as well keep the logic which
tracks whether or not the value has a memory context.)

Also removing 'save_matched', cleaned up by result.c 1.313 (ITS#5340):
	/* FIXME: shouldn't this be null? */
	const char	*save_matched = rs->sr_matched;
Yes, it should be null.  Is it not, preserving it isn't helpful anyway.


To force a predictable matchedDN crash, let e.g. valsort produce an
unfreeable matchedDN:
Index: servers/slapd/overlays/valsort.c
@@ -274,2 +274,7 @@ valsort_response( Operation *op, SlapReply *rs )

+	if ( rs->sr_matched ) {
+		rs->sr_matched = "cn=bang";
+		rs->sr_flags  &= ~REP_MATCHED_MASK; /* do not free it */
+	}
+
 	/* If this is not a search response, or it is a syncrepl response,

Then provoke a matchedDN from the "remote" slapd and feed it to valsort:

slapd -d0 -h ldap://localhost:3890/ -f <config below>
database    monitor
database    ldap
suffix      cn=foo
uri         ldap://localhost:3890/
overlay     valsort
overlay     rwm
rwm-suffixmassage cn=foo cn=monitor

ldapsearch -xh localhost:3890 -b cn=hello,cn=foo

Prev by Date: (ITS#6792) rwm with broken config suppresses LDAP response
Next by Date: Re: (ITS#6792) rwm with broken config suppresses LDAP response
Index(es):
- Chronological
- Thread