|
|
a2f18f |
From 413414c98313a076111d8e40a7a10fa369433e6e Mon Sep 17 00:00:00 2001
|
|
|
b161c9 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
b161c9 |
Date: Thu, 16 Jul 2015 10:34:47 -0700
|
|
|
a2f18f |
Subject: [PATCH 24/30] Ticket #48226 - In MMR, double free coould occur under
|
|
|
b161c9 |
some special condition
|
|
|
b161c9 |
|
|
|
b161c9 |
Bug description:
|
|
|
b161c9 |
In a replicated topology, a authenticated user that have write access
|
|
|
b161c9 |
on an entry can send a series of operations that crash the server.
|
|
|
b161c9 |
The crash is due to an access to a already freed buffer.
|
|
|
b161c9 |
Fix description:
|
|
|
b161c9 |
To avoid the double free, duplicate a CSNSet and assign it to the
|
|
|
b161c9 |
Slapi_Value.
|
|
|
b161c9 |
|
|
|
b161c9 |
https://fedorahosted.org/389/ticket/48226
|
|
|
b161c9 |
|
|
|
b161c9 |
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
|
|
|
b161c9 |
|
|
|
b161c9 |
(cherry picked from commit a0f8e0f981a046882db299a7a6d6d1c01bc19571)
|
|
|
b161c9 |
(cherry picked from commit bdbc81e62eb8d7b8dfb298c7ba983cf86353fe66)
|
|
|
b161c9 |
---
|
|
|
b161c9 |
ldap/servers/slapd/valueset.c | 5 +++--
|
|
|
b161c9 |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
b161c9 |
|
|
|
b161c9 |
diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
|
|
|
a2f18f |
index 0cf3ded..7eabb82 100644
|
|
|
b161c9 |
--- a/ldap/servers/slapd/valueset.c
|
|
|
b161c9 |
+++ b/ldap/servers/slapd/valueset.c
|
|
|
a2f18f |
@@ -1415,8 +1415,9 @@ valueset_update_csn_for_valuearray_ext(Slapi_ValueSet *vs, const Slapi_Attr *a,
|
|
|
b161c9 |
if(v)
|
|
|
b161c9 |
{
|
|
|
b161c9 |
value_update_csn(v,t,csn);
|
|
|
b161c9 |
- if (csnref_updated)
|
|
|
b161c9 |
- valuestoupdate[i]->v_csnset = (CSNSet *)value_get_csnset(v);
|
|
|
b161c9 |
+ if (csnref_updated) {
|
|
|
b161c9 |
+ valuestoupdate[i]->v_csnset = csnset_dup(value_get_csnset(v));
|
|
|
b161c9 |
+ }
|
|
|
b161c9 |
valuearrayfast_add_value_passin(&vaf_valuesupdated,valuestoupdate[i]);
|
|
|
b161c9 |
valuestoupdate[i]= NULL;
|
|
|
b161c9 |
del_count++;
|
|
|
b161c9 |
--
|
|
|
b161c9 |
1.9.3
|
|
|
b161c9 |
|