[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6972) [PATCH] Autogroup double-free of LDAPURLDesc *lud in autogroup_add_group when the URL contains a filter with >1 attribute.

Full_Name: Gerry Calderhead
Version: OpenLDAP 2.4.25
OS: Linux RHEL5.5
URL: http://uploading.com/files/ad3ecc7f/0001-Autogroup-double-free-of-LDAPURLDesc-lud-in-autogrou.patch/
Submission from: (NULL) (

We found this issue when we swapped from dynlist to autogroup.  Dynlist happily
supports pulling over multiple attributes
(memberuid and member in our case).

When we removed dynlist and added autogroup instead we got an immediate crash
because a double-free was picked up by our
C library.  The code at fault is in autogroup_add_group in the case for was: "to
much attributes" now: "too many (%d) attributes"
where the lud was free'd then "goto cleanup" was called thus attempting to free
it agan.


The bare-minimum change requried to stop the crash in this case is:

Function: autogroup_add_group

                                if ( i > 1 ) {
                                        Debug( LDAP_DEBUG_ANY,
"autogroup_add_group: to much attributes specified in url <%s>\n",
                                                bv->bv_val, 0, 0);
                                        /* FIXME: error? */
                                        ldap_free_urldesc( lud );
                                        ch_free( agf );
+                                       continue;

I've taken the opportunity to sense-check the other error cases here and hence
made the error reporting slightly more
useful and eliminated the goto.  The git-format-patch, containing the fix above
and the clean-up I mentioned 
is available here:


sha1sum 313f55d01f37a48c5c29ea5232e6343039e6e956 

Public Domain Notice

I, Gerry Calderhead, hereby place the following modifications to OpenLDAP
Software (and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.