|
 |
61f723 |
From 8c39c9dbe69949065940019e930c37b8f5450a75 Mon Sep 17 00:00:00 2001
|
|
|
61f723 |
From: Adam Tkac <vonsch@gmail.com>
|
|
|
61f723 |
Date: Sat, 18 Mar 2017 23:34:54 +0100
|
|
|
61f723 |
Subject: [PATCH] Fix double-free in _cl5NewDBFile() error path
|
|
|
61f723 |
|
|
|
61f723 |
Although slapi_ch_free should prevent double-free errors, it doesn't work
|
|
|
61f723 |
in old code because after assignment
|
|
|
61f723 |
|
|
|
61f723 |
(*dbFile)->name = name;
|
|
|
61f723 |
|
|
|
61f723 |
two independent pointers points to the same allocated area and both pointers
|
|
|
61f723 |
are free()-ed (one directly in error path in _cl5NewDBFile and the second
|
|
|
61f723 |
in _cl5DBCloseFile, called in error path as well).
|
|
|
61f723 |
|
|
|
61f723 |
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
|
|
61f723 |
---
|
|
|
61f723 |
ldap/servers/plugins/replication/cl5_api.c | 7 ++++---
|
|
|
61f723 |
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
61f723 |
|
|
|
61f723 |
diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
|
|
|
61f723 |
index fc70ab7..5c2233f 100644
|
|
|
61f723 |
--- a/ldap/servers/plugins/replication/cl5_api.c
|
|
|
61f723 |
+++ b/ldap/servers/plugins/replication/cl5_api.c
|
|
|
61f723 |
@@ -6269,9 +6269,10 @@ out:
|
|
|
61f723 |
}
|
|
|
61f723 |
|
|
|
61f723 |
(*dbFile)->db = db;
|
|
|
61f723 |
- (*dbFile)->name = name;
|
|
|
61f723 |
- (*dbFile)->replName = slapi_ch_strdup (replName);
|
|
|
61f723 |
- (*dbFile)->replGen = slapi_ch_strdup (replGen);
|
|
|
61f723 |
+ (*dbFile)->name = name;
|
|
|
61f723 |
+ name = NULL; /* transfer ownership to dbFile struct */
|
|
|
61f723 |
+ (*dbFile)->replName = slapi_ch_strdup (replName);
|
|
|
61f723 |
+ (*dbFile)->replGen = slapi_ch_strdup (replGen);
|
|
|
61f723 |
|
|
|
61f723 |
/*
|
|
|
61f723 |
* Considerations for setting up cl semaphore:
|
|
|
61f723 |
--
|
|
|
61f723 |
2.9.3
|
|
|
61f723 |
|