From deb4426cae8be62cc7531862b0232fb818bb807b Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Fri, 23 Aug 2013 14:16:29 -0600 Subject: [PATCH 101/101] Bug 999634 - ns-slapd crash due to bogus DN https://bugzilla.redhat.com/show_bug.cgi?id=999634 Reviewed by: ??? Branch: rhel-6.5 Fix Description: When the target DN is not a valid DN, the code will bypass the initialization of unhashed_pw_smod, and attempt to call slapi_smods_done. Depending on what memory is in the unhashed_pw_smod, if both mods and free_mods are true, an attempt will be made to free mods or *mods and the server will crash. It is tricky to find the right sequence of operations that will write the stack in such a way that both unhashed_pw_smod.mods and unhashed_pw_smod.free_mods are set. The fix is to just get rid of unhashed_pw_smod which is not used. I also check this code and other operation code for similar cases, but the rest of the code is clean. Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: no (cherry picked from commit a3d65ac00df871675896f587b0da2c24eab961bb) --- ldap/servers/slapd/modify.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c index da742da..5e52f26 100644 --- a/ldap/servers/slapd/modify.c +++ b/ldap/servers/slapd/modify.c @@ -642,7 +642,6 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) int passin_sdn = 0; LDAPMod **mods, *pw_mod, **tmpmods = NULL; Slapi_Mods smods; - Slapi_Mods unhashed_pw_smod; int repl_op, internal_op, lastmod, skip_modified_attrs; char *unhashed_pw_attr = NULL; Slapi_Operation *operation; @@ -681,8 +680,6 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) slapi_mods_init_passin (&smods, mods); - slapi_mods_init(&unhashed_pw_smod, 0); - /* target spec is used to decide which plugins are applicable for the operation */ operation_set_target_spec (pb->pb_op, sdn); @@ -1008,7 +1005,6 @@ free_and_return: if (be) slapi_be_Unlock(be); - slapi_mods_done(&unhashed_pw_smod); /* can finalize now */ if (unhashed_pw_attr) slapi_ch_free ((void**)&unhashed_pw_attr); -- 1.8.1.4