From 265c6e399016ad4a46c8709d32367b9c30ea57cf Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Oct 13 2015 17:01:51 +0000
Subject: Ticket #48287 - Double free while adding entries (1.2.11 only)


Description: If a callback at SLAPI_PLUGIN_BE_TXN_*_ADD_FN fails and the
adding-entry is in a cache, the ldbm_back_add is supposed to remove the
adding-entry from the cache and free it.  The issue was fixed in 1.3.1
and newer by these tickets:
 Ticket #47808 - If be_txn plugin fails in ldbm_back_add, adding entry is double freed.
 Ticket #47815 - Add operations rejected by betxn plugins remain in cache
which were not backported to 1.2.11.

https://fedorahosted.org/389/ticket/48287

Reviewed by tbordaz@redhat.com (Thank you, Thierry!!)

---

diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c
index 0198b1c..9f0bbc0 100644
--- a/ldap/servers/slapd/add.c
+++ b/ldap/servers/slapd/add.c
@@ -726,10 +726,8 @@ static void op_shared_add (Slapi_PBlock *pb)
 			}
 			else
 			{
-				/* restore e so we can free it below */
-				if (save_e) {
-					e = save_e;
-				}
+				/* PR_ASSERT(!save_e); save_e is supposed to be freed in the backend.  */
+				e = save_e;
 				if (rc == SLAPI_FAIL_DISKFULL)
 				{
 					operation_out_of_disk_space();
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
index f27e78d..3397c0f 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
@@ -108,7 +108,6 @@ ldbm_back_add( Slapi_PBlock *pb )
 	Slapi_DN parentsdn;
 	Slapi_Operation *operation;
 	int dblock_acquired= 0;
-	int is_remove_from_cache= 0;
 	int is_replicated_operation= 0;
 	int is_resurect_operation= 0;
 	int is_tombstone_operation= 0;
@@ -1174,7 +1173,20 @@ diskfull_return:
 				}
 				slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
 			}
-
+			if ( addingentry ) {
+				if (inst && cache_is_in_cache(&inst->inst_cache, addingentry)) {
+					CACHE_REMOVE(&inst->inst_cache, addingentry);
+					/* tell frontend not to free this entry */
+					slapi_pblock_set(pb, SLAPI_ADD_ENTRY, NULL);
+				}
+				else if (!cache_has_otherref(&inst->inst_cache, addingentry))
+				{
+					if (!is_resurect_operation) { /* if resurect, tombstoneentry is dupped. */
+						backentry_clear_entry(addingentry); /* e is released in the frontend */
+					}
+				}
+				CACHE_RETURN( &inst->inst_cache, &addingentry );
+			}
 			if (!noabort) {
 				dblayer_txn_abort(li,&txn); /* abort crashes in case disk full */
 			}
@@ -1226,9 +1238,6 @@ common_return:
 					}
 				}
 			}
-			if (is_remove_from_cache) {
-				CACHE_REMOVE(&inst->inst_cache, addingentry);
-			}
 			CACHE_RETURN( &inst->inst_cache, &addingentry );
 		}
 	}