From aa6561d02969ce1db1a50da2b8af8679f6aeca69 Mon Sep 17 00:00:00 2001

From: Noriko Hosoi <nhosoi@redhat.com>

Date: Fri, 5 Jun 2015 10:13:17 -0700

Subject: [PATCH 71/72] Ticket #48192 - Individual abandoned simple paged

 results request has no chance to be cleaned up

Description: Checking the cookie value passed by the client was not

sufficient.  The negative value check was missing, which lead to

the simple paged results array out of bounds.  Plus, a minor memory

leak was fixed.  Thanks to Thierry Bordaz for his reviews!

https://fedorahosted.org/389/ticket/48192

(cherry picked from commit 298371d372678cf553594ae73ae57a6ea35358bf)

(cherry picked from commit 7718eb6a6714d1a284c3c706e621a7eb0ca5655a)

---

 ldap/servers/slapd/pagedresults.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c

index 402dd10..2e70e19 100644

--- a/ldap/servers/slapd/pagedresults.c

+++ b/ldap/servers/slapd/pagedresults.c

@@ -177,14 +177,14 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,

         memcpy(ptr, cookie.bv_val, cookie.bv_len);

         *(ptr+cookie.bv_len) = '\0';

         *index = strtol(ptr, NULL, 10);

-        if (conn->c_pagedresults.prl_maxlen <= *index) {

+        slapi_ch_free_string(&ptr);

+        if ((conn->c_pagedresults.prl_maxlen <= *index) || (*index < 0)){

             rc = LDAP_PROTOCOL_ERROR;

             LDAPDebug1Arg(LDAP_DEBUG_ANY,

                           "pagedresults_parse_control_value: invalid cookie: %d\n",

                           *index);

             goto bail;

         }

-        slapi_ch_free_string(&ptr);

         prp = conn->c_pagedresults.prl_list + *index;

         if (!(prp->pr_search_result_set)) { /* freed and reused for the next backend. */

             conn->c_pagedresults.prl_count++;

-- 

1.9.3