#603 A logic error in str2simple
Closed: wontfix None Opened 7 years ago by nhosoi.

A very old fix made on str2simple introduced this logic error.

@@ -275,13 +277,17 @@ str2simple( char *str )
                }
                f->f_avvalue.bv_val = unqstr;
                f->f_avvalue.bv_len = len2;
-       }
+       } if ( !unescape_filter ) {
+               f->f_avtype = slapi_ch_strdup( str );
+               f->f_avvalue.bv_val = slapi_ch_strdup ( value );
+               f->f_avvalue.bv_len = strlen ( f->f_avvalue.bv_val );
+       }

        return( f );
 }

This is the subset of the questionable code:

if ( f->f_choice == LDAP_FILTER_PRESENT ) {
    f->f_type = slapi_ch_strdup( str );
} else if ( unescape_filter ) {
    f->f_avtype = slapi_ch_strdup( str );
} if ( !unescape_filter ) {
    f->f_avtype = slapi_ch_strdup( str );
}

f->f_type and f_avtype are sharing the same memory via union. If ( f->f_choice == LDAP_FILTER_PRESENT ) AND if ( !unescape_filter ), the first strdup'ed str is leaked.

Currently, there is no place to call str2simple with unescape_filter == 0. Thus, we have no memory leak caused by this error.


Fix description: str2simple sets the strdup'ed type this way:
if ( f->f_choice == LDAP_FILTER_PRESENT ) {
f->f_type = slapi_ch_strdup( str );
} else if ( unescape_filter ) {
f->f_avtype = slapi_ch_strdup( str );
} if ( !unescape_filter ) {
f->f_avtype = slapi_ch_strdup( str );
}
If f_choice is LDAP_FILTER_PRESENT and !unescape_filter is
true, the first strdup'ed string is leaked since f_type
and f_avtype share the same memory. But currently, str2simple
is not called with (unescape_filter == 0). Thus there is no
chance to satisfy the condition. This patch fixes the flaw.

Reviewed by Rich (Thank you!!)

Pushed to master: commit 24e80bf

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.1

3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/603

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

6 days ago

Login to comment on this ticket.

Metadata