From 3e34dcaf4899a5379d40d80f2eee7821b2604702 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Mon, 4 May 2015 14:06:43 -0700
Subject: [PATCH 67/72] Ticket #48146 - async simple paged results issue

Description: Invalid index could cause Invalid read.

https://fedorahosted.org/389/ticket/48146
(cherry picked from commit 8e21bfbe4fcac79cf39e5c6b579c4bc88e05257e)
---
 ldap/servers/slapd/pagedresults.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index a3a5fc4..327da54 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -138,6 +138,13 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
         memcpy(ptr, cookie.bv_val, cookie.bv_len);
         *(ptr+cookie.bv_len) = '\0';
         *index = strtol(ptr, NULL, 10);
+        if (conn->c_pagedresults.prl_maxlen <= *index) {
+            rc = LDAP_PROTOCOL_ERROR;
+            LDAPDebug1Arg(LDAP_DEBUG_ANY,
+                          "pagedresults_parse_control_value: invalid cookie: %d\n",
+                          *index);
+            goto bail;
+        }
         slapi_ch_free_string(&ptr);
         prp = conn->c_pagedresults.prl_list + *index;
         if (!(prp->pr_search_result_set)) { /* freed and reused for the next backend. */
@@ -162,6 +169,7 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
                       "pagedresults_parse_control_value: invalid cookie: %d\n",
                       *index);
     }
+bail:
     PR_Unlock(conn->c_mutex);
 
     LDAPDebug1Arg(LDAP_DEBUG_TRACE,
-- 
1.9.3