ldap/servers/slapd/util.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
New commits:
commit da59cff5e6d27c18bbb02cba98bb99c1bfa37c70
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Sep 26 14:42:20 2013 -0400
Ticket 47528 - 389-ds-base built with mozldap can crash from invalid free
Bug Description: The issue is that the slapi_escape_filter_value() returned string
gets
freed by the caller. When using mozldap, this function can return
the
original filter pointer, which can lead to a double free.
Fix Description: Return a copy of the filter str so it can be safely freed. Also
free
the buf if it's not being returned.
https://fedorahosted.org/389/ticket/47528
Reviewed by: nhosoi(Thanks!)
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index 1991040..9dd3822 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -477,8 +477,14 @@ slapi_escape_filter_value(char* filter_str, int len)
}
#else
char *buf = slapi_ch_calloc(sizeof(char), filter_len*3+1);
+ char *esc_str = do_escape_string(filter_str, filter_len, buf, special_filter);
- return do_escape_string(filter_str, filter_len, buf, special_filter);
+ if(esc_str != buf){
+ slapi_ch_free_string(&buf);
+ return slapi_ch_strdup(esc_str);
+ } else {
+ return buf;
+ }
#endif
}