Bug 185780

Summary: one byte memory leak in modify
Product: [Retired] 389 Reporter: Rich Megginson <rmeggins>
Component: Directory ServerAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:56:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 152373, 208654, 240316    

Description Rich Megginson 2006-03-17 22:13:42 UTC 
If you send a attribute type that is the null string e.g. "\0", the code in
do_modify will reject it e.g.
		if ( !mod->mod_type || !*mod->mod_type ) {
However, if mod->mod_type, this code will not free the 1 byte length string
allocated by the previous line slapi_attr_syntax_normalize(type).
Comment 1 Rich Megginson 2006-10-12 21:01:23 UTC 
*** modify.c.~1.12.~	2006-09-01 14:01:10.000000000 -0600
--- modify.c	2006-10-12 15:04:55.000000000 -0600
***************
*** 202,207 ****
--- 202,208 ----
  			send_ldap_result( pb, LDAP_INVALID_SYNTAX, NULL, ebuf, 0, NULL );
  			slapi_ch_free((void **)&type);
  			ber_bvecfree(mod->mod_bvalues);
+ 			ldap_memfree(mod->mod_type);
  			slapi_ch_free((void **)&mod);
  			goto free_and_return;
Comment 2 Noriko Hosoi 2006-10-12 21:32:24 UTC 
Looks good.  I'm just curious... Why you chose "ldap_memfree", not "slapi_ch_free"?
Comment 3 Rich Megginson 2006-10-12 21:49:02 UTC 
Oops, you're right.  I should have used slapi_ch_free_string().  Here is the new
diff:
*** modify.c.~1.12.~	2006-09-01 14:01:10.000000000 -0600
--- modify.c	2006-10-12 15:52:07.000000000 -0600
***************
*** 202,207 ****
--- 202,208 ----
  			send_ldap_result( pb, LDAP_INVALID_SYNTAX, NULL, ebuf, 0, NULL );
  			slapi_ch_free((void **)&type);
  			ber_bvecfree(mod->mod_bvalues);
+ 			slapi_ch_free_string(&mod->mod_type);
  			slapi_ch_free((void **)&mod);
  			goto free_and_return;
  		}
Comment 4 Noriko Hosoi 2006-10-12 22:18:00 UTC 
Oh, okay.  Then, "no question" about it. ;)
Comment 5 Rich Megginson 2006-10-12 22:32:40 UTC 
Reviewed by: nhosoi (Thanks!)
Files: see diff
Branch: HEAD
Fix Description: Just call ldap_memfree() with the mod->mod_type.  This is safe
to call with NULL.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no

Checking in modify.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/modify.c,v  <--  modify.c
new revision: 1.13; previous revision: 1.12
done
Comment 6 Nathan Kinder 2007-12-20 19:23:52 UTC 
Verified that we are indeed freeing the mod type in the current code.

Marking as VERIFIED.