From 413414c98313a076111d8e40a7a10fa369433e6e Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu, 16 Jul 2015 10:34:47 -0700
Subject: [PATCH 24/30] Ticket #48226 - In MMR, double free coould occur under
some special condition
Bug description:
In a replicated topology, a authenticated user that have write access
on an entry can send a series of operations that crash the server.
The crash is due to an access to a already freed buffer.
Fix description:
To avoid the double free, duplicate a CSNSet and assign it to the
Slapi_Value.
https://fedorahosted.org/389/ticket/48226
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit a0f8e0f981a046882db299a7a6d6d1c01bc19571)
(cherry picked from commit bdbc81e62eb8d7b8dfb298c7ba983cf86353fe66)
---
ldap/servers/slapd/valueset.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
index 0cf3ded..7eabb82 100644
--- a/ldap/servers/slapd/valueset.c
+++ b/ldap/servers/slapd/valueset.c
@@ -1415,8 +1415,9 @@ valueset_update_csn_for_valuearray_ext(Slapi_ValueSet *vs, const Slapi_Attr *a,
if(v)
{
value_update_csn(v,t,csn);
- if (csnref_updated)
- valuestoupdate[i]->v_csnset = (CSNSet *)value_get_csnset(v);
+ if (csnref_updated) {
+ valuestoupdate[i]->v_csnset = csnset_dup(value_get_csnset(v));
+ }
valuearrayfast_add_value_passin(&vaf_valuesupdated,valuestoupdate[i]);
valuestoupdate[i]= NULL;
del_count++;
--
1.9.3