From bb0fc515d207e7543ffec00e016da54d6099d974 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Aug 31 2011 16:12:08 +0000
Subject: Bug 733103 - large targetattr list with syntax errors cause server to crash or hang


https://bugzilla.redhat.com/show_bug.cgi?id=733103
Resolves: bug 733103
Bug Description: large targetattr list with syntax errors cause server to crash or hang
Reviewed by: nhosoi (Thanks!)
Branch: 389-ds-base-1.2.9
Fix Description: If we need to realloc the list to hold more target attributes,
the list is not NULL terminated.  If there are syntax errors in the aci, the
function returns with an unterminated list, and this will either cause the
loop in the free code to go off the end of the list or crash with a segfault.
The fix is to make sure the list is always NULL terminated.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 91c6799b07ca48bce85482136ceb244b484fc91b)
(cherry picked from commit 88dc8d6171ec6e34baf95f353dd974df05c964f6)

---

diff --git a/ldap/servers/plugins/acl/aclparse.c b/ldap/servers/plugins/acl/aclparse.c
index 014df1b..a137db9 100644
--- a/ldap/servers/plugins/acl/aclparse.c
+++ b/ldap/servers/plugins/acl/aclparse.c
@@ -1447,6 +1447,10 @@ __aclp__init_targetattr (aci_t *aci, char *attr_val, char **errbuf)
 				}
 				slapi_ch_free_string(&errstr);
 				slapi_ch_free((void **)&attr);
+				/* NULL terminate the list - the realloc below does not NULL terminate
+				   the list, and the list is normally only NULL terminated when the
+				   function returns with success */
+				attrArray[numattr] = NULL;
 				return ACL_SYNTAX_ERR;
 			}
 		}