From 31c0425599b13e492cdadff5ea64da6e1696b6bc Mon Sep 17 00:00:00 2001 From: William Brown Date: Sep 30 2016 03:48:42 +0000 Subject: Ticket 48982 - Enabling a plugin that has a versioned so causes overflow Bug Description: Enabling a plugin that has a versioned.so causes overflow. This is becuase we assumed that all plugins are "libname.so", and were not symlinks. So we used a fixed size buffer to realpath. Fix Description: Realpath can dynamically allocate the correct size buffer for the resolved path, so we use that. Additionally, we need to use "free" instead because realpath uses malloc not slapi_ch_malloc. https://fedorahosted.org/389/ticket/48982 Author: wibrown Reviewed by: nhosoi (Thanks so much!) --- diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c index a7c2a0e..6988521 100644 --- a/ldap/servers/slapd/fedse.c +++ b/ldap/servers/slapd/fedse.c @@ -1956,8 +1956,13 @@ check_plugin_path(Slapi_PBlock *pb, } else { /* relative path */ full_path = slapi_get_plugin_name(PLUGINDIR, vals[j]); } - resolved_path = slapi_ch_malloc(strlen(full_path) + 1); - res = realpath( full_path, resolved_path ); + /* + * See man 3 realpath. We have to pass in NULL here, because we don't + * know if the library is versioned, it could be *any* length when + * resolved. The quirk is that this uses malloc, not slapi_ch_malloc, + * so we need to free res with free() only! + */ + res = realpath( full_path, NULL ); if (res) { if ((handle = dlopen(res, RTLD_NOW)) == NULL) { *returncode = LDAP_UNWILLING_TO_PERFORM; @@ -1972,7 +1977,8 @@ check_plugin_path(Slapi_PBlock *pb, rc = SLAPI_DSE_CALLBACK_ERROR; } slapi_ch_free_string(&full_path); - slapi_ch_free_string(&resolved_path); + /* See comment above. Must free res from realpath with free() only! */ + free(res); } slapi_ch_array_free(vals);