|
 |
dc8c34 |
From aaae3f590d92cbdb301a82e248bda2248bc18bb6 Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
dc8c34 |
Date: Wed, 28 Sep 2016 15:28:28 -0700
|
|
|
dc8c34 |
Subject: [PATCH 416/425] Ticket #48987 - Heap use after free in
|
|
|
dc8c34 |
dblayer_close_indexes
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Description: Once an attribute info is deleted, its backpointer
|
|
|
dc8c34 |
dblayer_handle_ai_backpointer in the dblayer handle needs to be
|
|
|
dc8c34 |
set to NULL not to access the address again. We also need to set
|
|
|
dc8c34 |
this to null from within the dblayer_close_indexes because there
|
|
|
dc8c34 |
is no guarantee on the order that we free the handle or the
|
|
|
dc8c34 |
attrinfo.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
https://fedorahosted.org/389/ticket/48987
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Author: nhosoi, wibrown
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Review: nhosoi (Thanks!)
|
|
|
dc8c34 |
(cherry picked from commit 99176404bfe76ee9fcf48b8b28750ec3979ec020)
|
|
|
dc8c34 |
(cherry picked from commit f4b2a54d45606d61828d37b2a901f799a2de5f7b)
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
ldap/servers/slapd/back-ldbm/dblayer.c | 8 +++++++-
|
|
|
dc8c34 |
ldap/servers/slapd/back-ldbm/ldbm_attr.c | 4 ++++
|
|
|
dc8c34 |
2 files changed, 11 insertions(+), 1 deletion(-)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c
|
|
|
dc8c34 |
index a08913b..fed5548 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/back-ldbm/dblayer.c
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/back-ldbm/dblayer.c
|
|
|
dc8c34 |
@@ -2635,7 +2635,13 @@ int dblayer_close_indexes(backend *be)
|
|
|
dc8c34 |
pDB = handle->dblayer_dbp;
|
|
|
dc8c34 |
return_value |= pDB->close(pDB,0);
|
|
|
dc8c34 |
next = handle->dblayer_handle_next;
|
|
|
dc8c34 |
- *((dblayer_handle **)handle->dblayer_handle_ai_backpointer) = NULL;
|
|
|
dc8c34 |
+ /* If the backpointer is still valid, NULL the attrinfos ref to us
|
|
|
dc8c34 |
+ * This is important as there is no ordering guarantee between if the
|
|
|
dc8c34 |
+ * handle or the attrinfo is freed first!
|
|
|
dc8c34 |
+ */
|
|
|
dc8c34 |
+ if (handle->dblayer_handle_ai_backpointer) {
|
|
|
dc8c34 |
+ *((dblayer_handle **)handle->dblayer_handle_ai_backpointer) = NULL;
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
slapi_ch_free((void**)&handle);
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attr.c b/ldap/servers/slapd/back-ldbm/ldbm_attr.c
|
|
|
dc8c34 |
index db087fe..862dcd1 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/back-ldbm/ldbm_attr.c
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/back-ldbm/ldbm_attr.c
|
|
|
dc8c34 |
@@ -88,6 +88,10 @@ attrinfo_delete(struct attrinfo **pp)
|
|
|
dc8c34 |
slapi_ch_free((void**)&((*pp)->ai_attrcrypt));
|
|
|
dc8c34 |
attr_done(&((*pp)->ai_sattr));
|
|
|
dc8c34 |
attrinfo_delete_idlistinfo(&(*pp)->ai_idlistinfo);
|
|
|
dc8c34 |
+ if ((*pp)->ai_dblayer) {
|
|
|
dc8c34 |
+ /* attriinfo is deleted. Cleaning up the backpointer at the same time. */
|
|
|
dc8c34 |
+ ((dblayer_handle *)((*pp)->ai_dblayer))->dblayer_handle_ai_backpointer = NULL;
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
slapi_ch_free((void**)pp);
|
|
|
dc8c34 |
*pp= NULL;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
2.9.3
|
|
|
dc8c34 |
|