From 391130c60ccedb0f7650d4454141686d293dc39e Mon Sep 17 00:00:00 2001

From: Ludwig Krispenz <lkrispen@redhat.com>

Date: Tue, 20 Aug 2019 10:18:22 +0200

Subject: [PATCH] fix for 50542 crashes in filter tests

The crash is when a backentry is released, there is a call to CACHE_RETURN

and then check and free of a vlv entry.

But CACHE_RETURN, under some conditions, can free the backentry - the following check will

dereference a NULL entry and crashes

Fix: Reverse the order of freeing vlv entry and returning entry to cache

Note: Viktor did successfully runthe tests, thanks

Reviewed by: ?

---

 ldap/servers/slapd/back-ldbm/ldbm_search.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c

index c8f5719e1..2ad8f743a 100644

--- a/ldap/servers/slapd/back-ldbm/ldbm_search.c

+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c

@@ -1896,13 +1896,13 @@ ldbm_back_entry_release(Slapi_PBlock *pb, void *backend_info_ptr)

     slapi_pblock_get(pb, SLAPI_BACKEND, &be);

     inst = (ldbm_instance *)be->be_instance_info;

-    CACHE_RETURN(&inst->inst_cache, (struct backentry **)&backend_info_ptr);

-

     if (((struct backentry *)backend_info_ptr)->ep_vlventry != NULL) {

         /* This entry was created during a vlv search whose acl check failed.  It needs to be

          * freed here */

         slapi_entry_free(((struct backentry *)backend_info_ptr)->ep_vlventry);

         ((struct backentry *)backend_info_ptr)->ep_vlventry = NULL;

     }

+    CACHE_RETURN(&inst->inst_cache, (struct backentry **)&backend_info_ptr);

+

     return 0;

 }

-- 

2.24.1