Commit 15ff2e3 Ticket 49669 - Invalid cachemem size can crash the server during a restore

2 files Authored and Committed by mreynolds 3 months ago
Ticket 49669 - Invalid cachemem size can crash the server during a restore

Bug Description:  If you manually set the dbcachememsize to something larger than
                  a uint64_t the server can crash from a NULL pointer being
                  dereferenced.

Fix Description:  Catch the NULL pointer before it is dereferenced, and abort the
                  restore.

https://pagure.io/389-ds-base/issue/49669

Reviewed by: firstyear & tbordaz (Thanks!!)

    
 1 @@ -6566,6 +6566,16 @@
 2                           goto error_out;
 3                       }
 4   
 5 +                     if (inst->inst_parent_dir_name == NULL) {
 6 +                         slapi_log_err(SLAPI_LOG_ERR, "dblayer_restore",
 7 +                                       "Parent directory is not set, aborting restore\n");
 8 +                         if (task) {
 9 +                             slapi_task_log_notice(task, "dblayer_restore - Parent directory is not set, aborting restore\n");
10 +                         }
11 +                         PR_CloseDir(dirhandle);
12 +                         return_value = LDAP_UNWILLING_TO_PERFORM;
13 +                         goto error_out;
14 +                     }
15                       if (slapd_comp_path(src_dir, inst->inst_parent_dir_name) == 0) {
16                           slapi_log_err(SLAPI_LOG_ERR,
17                                         "dblayer_restore", "Backup dir %s and target dir %s "
 1 @@ -1178,7 +1178,7 @@
 2   }
 3   
 4   /*
 5 -  * Compare 2 pathes
 6 +  * Compare 2 paths
 7    * Paths could contain ".", "..", "//" in the path, thus normalize them first.
 8    * One or two of the paths could be a relative path.
 9    */
10 @@ -1186,9 +1186,19 @@
11   slapd_comp_path(char *p0, char *p1)
12   {
13       int rval = 0;
14 -     char *norm_p0 = rel2abspath(p0);
15 -     char *norm_p1 = rel2abspath(p1);
16 +     char *norm_p0;
17 +     char *norm_p1;
18   
19 +     /*
20 +      * Neither path should be NULL, but it's possible when bad thing happen.
21 +      * Return 0 which triggers an error in the caller
22 +      */
23 +     if (p0 == NULL || p1 == NULL){
24 +         return 0;
25 +     }
26 + 
27 +     norm_p0 = rel2abspath(p0);
28 +     norm_p1 = rel2abspath(p1);
29       rval = strcmp(norm_p0, norm_p1);
30       slapi_ch_free_string(&norm_p0);
31       slapi_ch_free_string(&norm_p1);