rpms / 389-ds-base

Clone
Source Code
GIT

Blame SOURCES/0086-Ticket-48226-In-MMR-double-free-coould-occur-under-s.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-1.4 c8-stream-1.4 c8s-stream-1.4 c8s-stream-ds c9 c9-beta
  1.   b161c9731acb0677712f9a0f34c9a314f7245795
  2.   SOURCES
  3.   0086-Ticket-48226-In-MMR-double-free-coould-occur-under-s.patch
Blob History Raw
b161c9 
From 4c82238f0c4273dbf7cf945eebc2ede66f47f680 Mon Sep 17 00:00:00 2001
b161c9 
From: Noriko Hosoi <nhosoi@redhat.com>
b161c9 
Date: Thu, 16 Jul 2015 10:34:47 -0700
b161c9 
Subject: [PATCH 86/86] Ticket #48226 - In MMR, double free coould occur under
b161c9 
 some special condition
b161c9
b161c9 
Bug description:
b161c9 
  In a replicated topology, a authenticated user that have write access
b161c9 
  on an entry can send a series of operations that crash the server.
b161c9 
  The crash is due to an access to a already freed buffer.
b161c9 
Fix description:
b161c9 
  To avoid the double free, duplicate a CSNSet and assign it to the
b161c9 
  Slapi_Value.
b161c9
b161c9 
https://fedorahosted.org/389/ticket/48226
b161c9
b161c9 
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
b161c9
b161c9 
(cherry picked from commit a0f8e0f981a046882db299a7a6d6d1c01bc19571)
b161c9 
(cherry picked from commit bdbc81e62eb8d7b8dfb298c7ba983cf86353fe66)
b161c9 
(cherry picked from commit 413414c98313a076111d8e40a7a10fa369433e6e)
b161c9 
---
b161c9 
 ldap/servers/slapd/valueset.c | 5 +++--
b161c9 
 1 file changed, 3 insertions(+), 2 deletions(-)
b161c9
b161c9 
diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
b161c9 
index 9d77b0c..fb7a99b 100644
b161c9 
--- a/ldap/servers/slapd/valueset.c
b161c9 
+++ b/ldap/servers/slapd/valueset.c
b161c9 
@@ -1444,8 +1444,9 @@ valueset_update_csn_for_valuearray_ext(Slapi_ValueSet *vs, const Slapi_Attr *a,
b161c9 
 			if(v)
b161c9 
 			{
b161c9 
 				value_update_csn(v,t,csn);
b161c9 
-				if (csnref_updated)
b161c9 
-					valuestoupdate[i]->v_csnset = (CSNSet *)value_get_csnset(v);
b161c9 
+				if (csnref_updated) {
b161c9 
+					valuestoupdate[i]->v_csnset = csnset_dup(value_get_csnset(v));
b161c9 
+				}
b161c9 
 				valuearrayfast_add_value_passin(&vaf_valuesupdated,valuestoupdate[i]);
b161c9 
 				valuestoupdate[i]= NULL;
b161c9 
 				del_count++;
b161c9 
--
b161c9 
1.9.3
b161c9

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation