From 039d7b6178fb41374c07672ac05dce40fbce82d7 Mon Sep 17 00:00:00 2001

From: Noriko Hosoi <nhosoi@redhat.com>

Date: Mon, 4 May 2015 14:06:43 -0700

Subject: [PATCH 319/319] Ticket #48146 - async simple paged results issue

Description: Invalid index could cause Invalid read.

https://fedorahosted.org/389/ticket/48146

(cherry picked from commit 8e21bfbe4fcac79cf39e5c6b579c4bc88e05257e)

(cherry picked from commit 644a116950d34bd11533a4426f6af6953865edf2)

(cherry picked from commit 82020ad65cf1b1762a8e9eaaf1a9cd7bc7b709f1)

---

 ldap/servers/slapd/pagedresults.c | 8 ++++++++

 1 file changed, 8 insertions(+)

diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c

index a3a5fc4..327da54 100644

--- a/ldap/servers/slapd/pagedresults.c

+++ b/ldap/servers/slapd/pagedresults.c

@@ -138,6 +138,13 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,

         memcpy(ptr, cookie.bv_val, cookie.bv_len);

         *(ptr+cookie.bv_len) = '\0';

         *index = strtol(ptr, NULL, 10);

+        if (conn->c_pagedresults.prl_maxlen <= *index) {

+            rc = LDAP_PROTOCOL_ERROR;

+            LDAPDebug1Arg(LDAP_DEBUG_ANY,

+                          "pagedresults_parse_control_value: invalid cookie: %d\n",

+                          *index);

+            goto bail;

+        }

         slapi_ch_free_string(&ptr);

         prp = conn->c_pagedresults.prl_list + *index;

         if (!(prp->pr_search_result_set)) { /* freed and reused for the next backend. */

@@ -162,6 +169,7 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,

                       "pagedresults_parse_control_value: invalid cookie: %d\n",

                       *index);

     }

+bail:

     PR_Unlock(conn->c_mutex);

     LDAPDebug1Arg(LDAP_DEBUG_TRACE,

-- 

1.9.3