[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5_total.c, 1.5, 1.6 repl_controls.c, 1.5, 1.6 repl_extop.c, 1.7, 1.8

Thu Feb 23 20:45:19 UTC 2006

Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4860/ldapserver/ldap/servers/plugins/replication

Modified Files:
	repl5_total.c repl_controls.c repl_extop.c 
Log Message:
Bug(s) fixed: 179135
Bug Description: memory leaks using ber_scanf when handling bad BER packets
Reviewed by: All (Thanks!)
Files: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=123783
Branch: HEAD
Fix Description: 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135#c0
I basically did a search through our code for all calls to ber_scanf, 
ber_get_stringa, and ber_get_stringal and made sure we properly free any 
arguments that may have been allocated.  There was a bug in the ldapsdk 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135 that causes 
us to free uninitialized memory when trying to clean up the result of 
ber_get_stringal (or ber_scanf with 'V').  I had to initialize some 
variables to NULL so that we could properly clean them up, and added 
some additional clean ups that were missing.  Also, in repl_extop.c, we 
were calling free on an array that we should have been calling 
ch_array_free on.  Yet another lesson in the evils of slapi_ch_free and 
disabling compiler type checks in general.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no



Index: repl5_total.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_total.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6

--- repl5_total.c	19 Apr 2005 22:07:32 -0000	1.5
+++ repl5_total.c	23 Feb 2006 20:45:09 -0000	1.6
@@ -585,7 +585,7 @@
     char *lasti;
     unsigned long len;
 	unsigned long tag;
-    char *str;
+    char *str = NULL;
     int rc;
     Slapi_Value *value;
 
@@ -685,6 +685,9 @@
     if (value)
         slapi_value_free (&value);
 
+    slapi_ch_free_string(&attrtype);
+    slapi_ch_free_string(&str);
+
     return -1;    
 }
 


Index: repl_controls.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl_controls.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- repl_controls.c	19 Apr 2005 22:07:32 -0000	1.5
+++ repl_controls.c	23 Feb 2006 20:45:10 -0000	1.6
@@ -349,15 +349,15 @@
         		      emtag != LBER_ERROR && emtag != LBER_END_OF_SEQORSET;
         		      emtag = ber_next_element( ember, &emlen, emlast ))
 			    {
-        		    struct berval **embvals;
-        		    if ( ber_scanf( ember, "{i{a[V]}}", &op, &type, &embvals ) == LBER_ERROR )
+        		    struct berval **embvals = NULL;
+        		    type = NULL;
+        		    if ( ber_scanf( ember, "{i{a[V]}}", &op, &type, &embvals ) != LBER_ERROR )
 					{
-            			continue;
+        				slapi_mods_add_modbvps( smods, op, type, embvals);
 					/* GGOODREPL I suspect this will cause two sets of lastmods attr values
 						to end up in the entry. We need to remove the old ones.
 					*/
         		    }
-                    slapi_mods_add_modbvps( smods, op, type, embvals);
         		    free( type );
         		    ber_bvecfree( embvals );
         		}


Index: repl_extop.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl_extop.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- repl_extop.c	19 Apr 2005 22:07:32 -0000	1.7
+++ repl_extop.c	23 Feb 2006 20:45:10 -0000	1.8
@@ -384,7 +384,8 @@
 		/* slapi_ch_free accepts NULL pointer */
 		slapi_ch_free ((void**)protocol_oid);
 		slapi_ch_free ((void**)repl_root);
-		slapi_ch_free ((void **)extra_referrals);
+		slapi_ch_array_free (*extra_referrals);
+        *extra_referrals = NULL;
 		slapi_ch_free ((void**)csnstr);
 
 		if (*supplier_ruv)


