andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame SOURCES/0017-Issue-4483-heap-use-after-free-in-slapi_be_getsuffix.patch

3280a9
From 1386b140d8cc81d37fdea6593487fe542587ccac Mon Sep 17 00:00:00 2001
3280a9
From: Mark Reynolds <mreynolds@redhat.com>
3280a9
Date: Wed, 9 Dec 2020 09:52:08 -0500
3280a9
Subject: [PATCH] Issue 4483 - heap-use-after-free in slapi_be_getsuffix
3280a9
3280a9
Description:  heap-use-after-free in slapi_be_getsuffix after disk
3280a9
              monitoring runs. This feature is freeing a list of
3280a9
              backends which it does not need to do.
3280a9
3280a9
Fixes: https://github.com/389ds/389-ds-base/issues/4483
3280a9
3280a9
Reviewed by: firstyear & tbordaz(Thanks!!)
3280a9
---
3280a9
 ldap/servers/slapd/daemon.c | 13 +------------
3280a9
 1 file changed, 1 insertion(+), 12 deletions(-)
3280a9
3280a9
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
3280a9
index 49199e4df..691f77570 100644
3280a9
--- a/ldap/servers/slapd/daemon.c
3280a9
+++ b/ldap/servers/slapd/daemon.c
3280a9
@@ -606,12 +606,6 @@ disk_monitoring_thread(void *nothing __attribute__((unused)))
3280a9
             now = start;
3280a9
             while ((now - start) < grace_period) {
3280a9
                 if (g_get_shutdown()) {
3280a9
-                    be_index = 0;
3280a9
-                    if (be_list[be_index] != NULL) {
3280a9
-                        while ((be = be_list[be_index++])) {
3280a9
-                            slapi_be_free(&be);
3280a9
-                        }
3280a9
-                    }
3280a9
                     slapi_ch_array_free(dirs);
3280a9
                     dirs = NULL;
3280a9
                     return;
3280a9
@@ -706,12 +700,7 @@ disk_monitoring_thread(void *nothing __attribute__((unused)))
3280a9
                 }
3280a9
             }
3280a9
         }
3280a9
-        be_index = 0;
3280a9
-        if (be_list[be_index] != NULL) {
3280a9
-            while ((be = be_list[be_index++])) {
3280a9
-                slapi_be_free(&be);
3280a9
-            }
3280a9
-        }
3280a9
+
3280a9
         slapi_ch_array_free(dirs);
3280a9
         dirs = NULL; /* now it is not needed but the code may be changed in the future and it'd better be more robust */
3280a9
         g_set_shutdown(SLAPI_SHUTDOWN_DISKFULL);
3280a9
-- 
3280a9
2.26.2
3280a9