#603 A logic error in str2simple
Closed: Fixed None Opened 6 years ago by nhosoi.

A very old fix made on str2simple introduced this logic error.

@@ -275,13 +277,17 @@ str2simple( char *str )
                }
                f->f_avvalue.bv_val = unqstr;
                f->f_avvalue.bv_len = len2;
-       }
+       } if ( !unescape_filter ) {
+               f->f_avtype = slapi_ch_strdup( str );
+               f->f_avvalue.bv_val = slapi_ch_strdup ( value );
+               f->f_avvalue.bv_len = strlen ( f->f_avvalue.bv_val );
+       }

        return( f );
 }

This is the subset of the questionable code:

if ( f->f_choice == LDAP_FILTER_PRESENT ) {
    f->f_type = slapi_ch_strdup( str );
} else if ( unescape_filter ) {
    f->f_avtype = slapi_ch_strdup( str );
} if ( !unescape_filter ) {
    f->f_avtype = slapi_ch_strdup( str );
}

f->f_type and f_avtype are sharing the same memory via union. If ( f->f_choice == LDAP_FILTER_PRESENT ) AND if ( !unescape_filter ), the first strdup'ed str is leaked.

Currently, there is no place to call str2simple with unescape_filter == 0. Thus, we have no memory leak caused by this error.


Fix description: str2simple sets the strdup'ed type this way:
if ( f->f_choice == LDAP_FILTER_PRESENT ) {
f->f_type = slapi_ch_strdup( str );
} else if ( unescape_filter ) {
f->f_avtype = slapi_ch_strdup( str );
} if ( !unescape_filter ) {
f->f_avtype = slapi_ch_strdup( str );
}
If f_choice is LDAP_FILTER_PRESENT and !unescape_filter is
true, the first strdup'ed string is leaked since f_type
and f_avtype share the same memory. But currently, str2simple
is not called with (unescape_filter == 0). Thus there is no
chance to satisfy the condition. This patch fixes the flaw.

Reviewed by Rich (Thank you!!)

Pushed to master: commit 24e80bf

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.1

2 years ago

Login to comment on this ticket.

Metadata