From 840cfbfc7d6473338cd4ef167bf4a0d8867be80b Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Aug 30 2016 18:48:55 +0000
Subject: Ticket 48975- Disabling CLEAR password storage scheme will

 crash server when setting a password

Bug Description:  If the CLEAR password storage scheme plugin is disabled, and a
                  userpassword is set, the server crashes.  This is because we
                  expect this plugin to be enabled when working with the unhashed
                  password.

Fix Description:  Always check if the password scheme, returned by pw_val2scheme(),
                  is NULL before dereferencing it.  If it is NULL treat it as a
                  clear text password.

Valgrind: Passed

https://fedorahosted.org/389/ticket/48975

Reviewed by: nhosoi(Thanks!)

(cherry picked from commit 52230585a1191bf1e747780b592f291d652e26dd)

---

diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 4bcc827..ed08885 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -847,7 +847,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 				for ( i = 0; pw_mod->mod_bvalues != NULL && pw_mod->mod_bvalues[i] != NULL; i++ ) {
 					char *password = slapi_ch_strdup(pw_mod->mod_bvalues[i]->bv_val);
 					pwsp = pw_val2scheme( password, &valpwd, 1 );
-					if(strcmp(pwsp->pws_name, "CLEAR") == 0){
+					if(pwsp == NULL || strcmp(pwsp->pws_name, "CLEAR") == 0){
 						/*
 						 *  CLEAR password
 						 *
@@ -871,7 +871,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 								const char *userpwd = slapi_value_get_string(present_values[ii]);
 
 								pass_scheme = pw_val2scheme( (char *)userpwd, &pval, 1 );
-								if(strcmp(pass_scheme->pws_name,"CLEAR")){
+								if(pass_scheme && strcmp(pass_scheme->pws_name,"CLEAR")){
 									/* its encoded, so compare it */
 									if((*(pass_scheme->pws_cmp))( valpwd, pval ) == 0 ){
 										/*
@@ -931,7 +931,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 								 *  provided by the client.
 								 */
 								unhashed_pwsp = pw_val2scheme( (char *)unhashed_pwd, NULL, 1 );
-								if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
+								if(unhashed_pwsp == NULL || strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
 									if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
 										/* match, add the delete mod for this particular unhashed userpassword */
 										if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
@@ -1457,7 +1457,7 @@ valuearray_init_bervalarray_unhashed_only(struct berval **bvals, Slapi_Value ***
 		*cvals = (Slapi_Value **) slapi_ch_malloc((n + 1) * sizeof(Slapi_Value *));
 		for(i = 0, p = 0; i < n; i++){
 			pwsp = pw_val2scheme( bvals[i]->bv_val, NULL, 1 );
-			if(strcmp(pwsp->pws_name, "CLEAR") == 0){
+			if(pwsp == NULL || strcmp(pwsp->pws_name, "CLEAR") == 0){
 				(*cvals)[p++] = slapi_value_new_berval(bvals[i]);
 			}
 			free_pw_scheme( pwsp );
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 2785bd7..d0d8570 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -266,8 +266,8 @@ void free_pw_scheme(struct pw_scheme *pwsp)
 {
 	if ( pwsp != NULL )
 	{
-		slapi_ch_free( (void**)&pwsp->pws_name );
-		slapi_ch_free( (void**)&pwsp );
+		slapi_ch_free_string(&pwsp->pws_name);
+		slapi_ch_free((void**)&pwsp);
 	}
 }