[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8200) Potential use of freed data after mdb_midl_shrink()

To: openldap-its@OpenLDAP.org
Subject: (ITS#8200) Potential use of freed data after mdb_midl_shrink()
From: h.b.furuseth@usit.uio.no
Date: Tue, 14 Jul 2015 17:53:59 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Hallvard B Furuseth
Version: LMDB_0.9.15
OS: 
URL: 
Submission from: (NULL) (81.191.45.5)
Submitted by: hallvard


This code is wrong if the realloc in mdb_midl_shrink fails:

	if (mdb_midl_shrink(&txn->mt_free_pgs))
		env->me_free_pgs = txn->mt_free_pgs;

env->me_free_pgs is left pointing as an old, freed IDL.
(Freed when mt_free_pgs was originally grown.)
It should be:

	mdb_midl_shrink(&txn->mt_free_pgs);
	env->me_free_pgs = txn->mt_free_pgs;

So mdb_midl_shrink() can return void.

Prev by Date: (ITS#8199) Crash when modifying the first olcAttributeTypes element in olcSchemaConfig objectClass
Next by Date: (ITS#8173)
Index(es):
- Chronological
- Thread