Blob Blame History Raw
From aa6561d02969ce1db1a50da2b8af8679f6aeca69 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Fri, 5 Jun 2015 10:13:17 -0700
Subject: [PATCH 71/72] Ticket #48192 - Individual abandoned simple paged
 results request has no chance to be cleaned up

Description: Checking the cookie value passed by the client was not
sufficient.  The negative value check was missing, which lead to
the simple paged results array out of bounds.  Plus, a minor memory
leak was fixed.  Thanks to Thierry Bordaz for his reviews!

https://fedorahosted.org/389/ticket/48192
(cherry picked from commit 298371d372678cf553594ae73ae57a6ea35358bf)
(cherry picked from commit 7718eb6a6714d1a284c3c706e621a7eb0ca5655a)
---
 ldap/servers/slapd/pagedresults.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index 402dd10..2e70e19 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -177,14 +177,14 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
         memcpy(ptr, cookie.bv_val, cookie.bv_len);
         *(ptr+cookie.bv_len) = '\0';
         *index = strtol(ptr, NULL, 10);
-        if (conn->c_pagedresults.prl_maxlen <= *index) {
+        slapi_ch_free_string(&ptr);
+        if ((conn->c_pagedresults.prl_maxlen <= *index) || (*index < 0)){
             rc = LDAP_PROTOCOL_ERROR;
             LDAPDebug1Arg(LDAP_DEBUG_ANY,
                           "pagedresults_parse_control_value: invalid cookie: %d\n",
                           *index);
             goto bail;
         }
-        slapi_ch_free_string(&ptr);
         prp = conn->c_pagedresults.prl_list + *index;
         if (!(prp->pr_search_result_set)) { /* freed and reused for the next backend. */
             conn->c_pagedresults.prl_count++;
-- 
1.9.3