389-ds-base built with mozldap can crash from invalid free

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47528

• Created at 2013-09-27 00:11:40 by mreynolds (@mreynolds389)
• Closed as Fixed
• Assigned to mreynolds (@mreynolds389)

---

0 0x000000378e0328a5 in raise () from /lib64/libc.so.6
1 0x000000378e034085 in abort () from /lib64/libc.so.6
2 0x000000378e0707b7 in __libc_message () from /lib64/libc.so.6
3 0x000000378e0760e6 in malloc_printerr () from /lib64/libc.so.6
4 0x00007ff7b21248ae in slapi_ch_free (ptr=0x7ff778004db8) at ../ds/ldap/servers/slapd/ch_malloc.c:363
5 0x00007ff7b2144fc3 in slapi_filter_free (f=0x7ff778004d90, recurse=1) at ../ds/ldap/servers/slapd/filter.c:782
6 0x00007ff7b2145050 in slapi_filter_free (f=0x7ff77800d6a0, recurse=1) at ../ds/ldap/servers/slapd/filter.c:800
7 0x000000000043096e in do_search (pb=0x7ff79bffea90) at ../ds/ldap/servers/slapd/search.c:425
8 0x000000000041578e in connection_dispatch_operation (conn=0x7ff7a8801410, op=0x7ff77800e480, pb=0x7ff79bffea90) at ../ds/ldap/servers/slapd/connection.c:682
9 0x00000000004172fd in connection_threadmain () at ../ds/ldap/servers/slapd/connection.c:2508
10 0x000000379d829a73 in ?? () from /lib64/libnspr4.so
11 0x000000378e407851 in start_thread () from /lib64/libpthread.so.0
12 0x000000378e0e890d in clone () from /lib64/libc.so.6

The issue is that the slapi_escape_filter_value() returned string gets freed by the caller. When using mozldap, this function can return the original filter pointer, which can lead to a double free(see above stack).

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2013-09-27 00:43:15

attachment
0001-Ticket-47528-389-ds-base-built-with-mozldap-can-cras.patch

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2013-09-27 01:43:28

git merge ticket47528
Updating 058d01d..da59cff
Fast-forward
ldap/servers/slapd/util.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)

git push origin master
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 889 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
058d01d..da59cff master -> master

commit da59cff
Author: Mark Reynolds mreynolds389@redhat.com
Date: Thu Sep 26 14:42:20 2013 -0400

git cherry-pick -x master
Finished one cherry-pick.
[389-ds-base-1.3.1 f7156e0] Ticket 47528 - 389-ds-base built with mozldap can crash from invalid free
1 files changed, 7 insertions(+), 1 deletions(-)

git push origin 389-ds-base-1.3.1
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 937 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
e5405e6..f7156e0 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2017-02-11 22:57:45

Metadata Update from @mreynolds389:

• Issue assigned to mreynolds389
• Issue set to the milestone: 1.3.1.10