|
 |
ba46c7 |
From 2a210d1d35cf28b3ec0e7961e674feea8a394289 Mon Sep 17 00:00:00 2001
|
|
|
ba46c7 |
From: Rich Megginson <rmeggins@redhat.com>
|
|
|
ba46c7 |
Date: Fri, 23 Aug 2013 14:16:29 -0600
|
|
|
ba46c7 |
Subject: [PATCH 2/2] Bug 999634 - ns-slapd crash due to bogus DN
|
|
|
ba46c7 |
|
|
|
ba46c7 |
https://bugzilla.redhat.com/show_bug.cgi?id=999634
|
|
|
ba46c7 |
Reviewed by: ???
|
|
|
ba46c7 |
Branch: embargo-rhel-6.4-bug999634
|
|
|
ba46c7 |
Fix Description: When the target DN is not a valid DN, the code will bypass
|
|
|
ba46c7 |
the initialization of unhashed_pw_smod, and attempt to call slapi_smods_done.
|
|
|
ba46c7 |
Depending on what memory is in the unhashed_pw_smod, if both mods and
|
|
|
ba46c7 |
free_mods are true, an attempt will be made to free mods or *mods and the
|
|
|
ba46c7 |
server will crash. It is tricky to find the right sequence of operations
|
|
|
ba46c7 |
that will write the stack in such a way that both unhashed_pw_smod.mods
|
|
|
ba46c7 |
and unhashed_pw_smod.free_mods are set.
|
|
|
ba46c7 |
The fix is to just get rid of unhashed_pw_smod which is not used.
|
|
|
ba46c7 |
I also check this code and other operation code for similar cases, but the
|
|
|
ba46c7 |
rest of the code is clean.
|
|
|
ba46c7 |
Platforms tested: RHEL6 x86_64
|
|
|
ba46c7 |
Flag Day: no
|
|
|
ba46c7 |
Doc impact: no
|
|
|
ba46c7 |
(cherry picked from commit a3d65ac00df871675896f587b0da2c24eab961bb)
|
|
|
ba46c7 |
---
|
|
|
ba46c7 |
ldap/servers/slapd/modify.c | 4 ----
|
|
|
ba46c7 |
1 file changed, 4 deletions(-)
|
|
|
ba46c7 |
|
|
|
ba46c7 |
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
|
|
|
ba46c7 |
index 2677b92..957f36e 100644
|
|
|
ba46c7 |
--- a/ldap/servers/slapd/modify.c
|
|
|
ba46c7 |
+++ b/ldap/servers/slapd/modify.c
|
|
|
ba46c7 |
@@ -653,7 +653,6 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
|
|
|
ba46c7 |
int passin_sdn = 0;
|
|
|
ba46c7 |
LDAPMod **mods, *pw_mod, **tmpmods = NULL;
|
|
|
ba46c7 |
Slapi_Mods smods;
|
|
|
ba46c7 |
- Slapi_Mods unhashed_pw_smod;
|
|
|
ba46c7 |
int repl_op, internal_op, lastmod, skip_modified_attrs;
|
|
|
ba46c7 |
char *unhashed_pw_attr = NULL;
|
|
|
ba46c7 |
Slapi_Operation *operation;
|
|
|
ba46c7 |
@@ -692,8 +691,6 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
|
|
|
ba46c7 |
|
|
|
ba46c7 |
slapi_mods_init_passin (&smods, mods);
|
|
|
ba46c7 |
|
|
|
ba46c7 |
- slapi_mods_init(&unhashed_pw_smod, 0);
|
|
|
ba46c7 |
-
|
|
|
ba46c7 |
/* target spec is used to decide which plugins are applicable for the operation */
|
|
|
ba46c7 |
operation_set_target_spec (pb->pb_op, sdn);
|
|
|
ba46c7 |
|
|
|
ba46c7 |
@@ -1138,7 +1135,6 @@ free_and_return:
|
|
|
ba46c7 |
if (be)
|
|
|
ba46c7 |
slapi_be_Unlock(be);
|
|
|
ba46c7 |
|
|
|
ba46c7 |
- slapi_mods_done(&unhashed_pw_smod); /* can finalize now */
|
|
|
ba46c7 |
if (unhashed_pw_attr)
|
|
|
ba46c7 |
slapi_ch_free ((void**)&unhashed_pw_attr);
|
|
|
ba46c7 |
|
|
|
ba46c7 |
--
|
|
|
ba46c7 |
1.8.1.4
|
|
|
ba46c7 |
|