From 413414c98313a076111d8e40a7a10fa369433e6e Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Thu, 16 Jul 2015 10:34:47 -0700 Subject: [PATCH 24/30] Ticket #48226 - In MMR, double free coould occur under some special condition Bug description: In a replicated topology, a authenticated user that have write access on an entry can send a series of operations that crash the server. The crash is due to an access to a already freed buffer. Fix description: To avoid the double free, duplicate a CSNSet and assign it to the Slapi_Value. https://fedorahosted.org/389/ticket/48226 Reviewed by rmeggins@redhat.com (Thank you, Rich!!) (cherry picked from commit a0f8e0f981a046882db299a7a6d6d1c01bc19571) (cherry picked from commit bdbc81e62eb8d7b8dfb298c7ba983cf86353fe66) --- ldap/servers/slapd/valueset.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c index 0cf3ded..7eabb82 100644 --- a/ldap/servers/slapd/valueset.c +++ b/ldap/servers/slapd/valueset.c @@ -1415,8 +1415,9 @@ valueset_update_csn_for_valuearray_ext(Slapi_ValueSet *vs, const Slapi_Attr *a, if(v) { value_update_csn(v,t,csn); - if (csnref_updated) - valuestoupdate[i]->v_csnset = (CSNSet *)value_get_csnset(v); + if (csnref_updated) { + valuestoupdate[i]->v_csnset = csnset_dup(value_get_csnset(v)); + } valuearrayfast_add_value_passin(&vaf_valuesupdated,valuestoupdate[i]); valuestoupdate[i]= NULL; del_count++; -- 1.9.3