upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-29 11:09:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

ITS#9249 librewrite: fix malloc/free corruption

Browse source 
If substitution parsing fails, would attempt to free a mapping
that hadn't been allocated yet.

Also, on failure, caller in saslauthz would attempt to free a
rwinfo struct that hadn't been allocated.
This commit is contained in:
Howard Chu 2020-08-22 12:38:10 +01:00 committed by Quanah Gibson-Mount
parent 8a521c17aa
commit 88e569d857
2 changed files with 12 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
libraries/librewrite/subst.c
View file

@ -32,7 +32,7 @@ rewrite_subst_compile(
{
size_t subs_len;
struct berval *subs = NULL, *tmps;
struct rewrite_submatch *submatch = NULL;
struct rewrite_submatch *submatch = NULL, *tmpsm;
struct rewrite_subst *s = NULL;
@ -71,7 +71,16 @@ rewrite_subst_compile(
goto cleanup;
}
subs = tmps;
subs[ nsub ].bv_val = NULL;
tmpsm = ( struct rewrite_submatch * )realloc( submatch,
sizeof( struct rewrite_submatch )*( nsub + 1 ) );
if ( tmpsm == NULL ) {
goto cleanup;
}
submatch = tmpsm;
submatch[ nsub ].ls_map = NULL;
/*
* I think an `if l > 0' at runtime is better outside than
* inside a function call ...
@ -95,19 +104,12 @@ rewrite_subst_compile(
* Substitution pattern
*/
if ( isdigit( (unsigned char) p[ 1 ] ) ) {
struct rewrite_submatch *tmpsm;
int d = p[ 1 ] - '0';
/*
* Add a new value substitution scheme
*/
tmpsm = ( struct rewrite_submatch * )realloc( submatch,
sizeof( struct rewrite_submatch )*( nsub + 1 ) );
if ( tmpsm == NULL ) {
goto cleanup;
}
submatch = tmpsm;
submatch[ nsub ].ls_submatch = d;
/*
@ -140,7 +142,6 @@ rewrite_subst_compile(
*/
} else if ( p[ 1 ] == '{' ) {
struct rewrite_map *map;
struct rewrite_submatch *tmpsm;
map = rewrite_map_parse( info, p + 2,
(const char **)&begin );
@ -152,13 +153,6 @@ rewrite_subst_compile(
/*
* Add a new value substitution scheme
*/
tmpsm = ( struct rewrite_submatch * )realloc( submatch,
sizeof( struct rewrite_submatch )*( nsub + 1 ) );
if ( tmpsm == NULL ) {
rewrite_map_destroy( &map );
goto cleanup;
}
submatch = tmpsm;
submatch[ nsub ].ls_type =
REWRITE_SUBMATCH_MAP_W_ARG;
submatch[ nsub ].ls_map = map;

2
servers/slapd/saslauthz.c
View file

@ -1532,7 +1532,7 @@ int slap_sasl_regexp_config( const char *match, const char *replace, int valx )
slap_sasl_rewrite_destroy();
sasl_rwinfo = rw;
} else {
} else if ( rw ) {
rewrite_info_delete( &rw );
}