From 30f61a85451e9f84bb6914585f7b4e1148311911 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Fri, 5 Jun 2015 10:13:17 -0700
Subject: [PATCH 333/333] Ticket #48192 - Individual abandoned simple paged
results request has no chance to be cleaned up
Description: Checking the cookie value passed by the client was not
sufficient. The negative value check was missing, which lead to
the simple paged results array out of bounds. Plus, a minor memory
leak was fixed. Thanks to Thierry Bordaz for his reviews!
https://fedorahosted.org/389/ticket/48192
(cherry picked from commit 298371d372678cf553594ae73ae57a6ea35358bf)
(cherry picked from commit 7718eb6a6714d1a284c3c706e621a7eb0ca5655a)
(cherry picked from commit 7db5fdd5f1c5e1979784833173864e9c8c49c89d)
---
ldap/servers/slapd/pagedresults.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index 402dd10..2e70e19 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -177,14 +177,14 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
memcpy(ptr, cookie.bv_val, cookie.bv_len);
*(ptr+cookie.bv_len) = '\0';
*index = strtol(ptr, NULL, 10);
- if (conn->c_pagedresults.prl_maxlen <= *index) {
+ slapi_ch_free_string(&ptr);
+ if ((conn->c_pagedresults.prl_maxlen <= *index) || (*index < 0)){
rc = LDAP_PROTOCOL_ERROR;
LDAPDebug1Arg(LDAP_DEBUG_ANY,
"pagedresults_parse_control_value: invalid cookie: %d\n",
*index);
goto bail;
}
- slapi_ch_free_string(&ptr);
prp = conn->c_pagedresults.prl_list + *index;
if (!(prp->pr_search_result_set)) { /* freed and reused for the next backend. */
conn->c_pagedresults.prl_count++;
--
1.9.3