Bug 514824
| Summary: | Multi-macro ACIs can cause double free if macro attribute does not exist | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Nathan Kinder <nkinder> | ||||||||||
| Component: | Security - Access Control (ACL) | Assignee: | Nathan Kinder <nkinder> | ||||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||||||
| Severity: | medium | Docs Contact: | |||||||||||
| Priority: | low | ||||||||||||
| Version: | 1.2.1 | CC: | jgalipea, rmeggins | ||||||||||
| Target Milestone: | --- | ||||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2015-12-07 16:43:53 UTC | Type: | --- | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Bug Depends On: | |||||||||||||
| Bug Blocks: | 434914, 517385 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Nathan Kinder
2009-07-30 22:30:03 UTC
Created attachment 355736 [details]
Patch
Created attachment 355737 [details]
Test LDIF
Import this LDIF to reproduce the bug. To trigger the crash, perform the following operation as the "uid=admin,ou=people,o=test,dc=example,dc=com" user:
dn: uid=user,ou=people,o=test,dc=example,dc=com
changetype: modify
add: sn
sn: foo
Created attachment 355739 [details]
Test LDIF
Created attachment 355753 [details]
Revised patch
This fix addresses some issues pointed out by Noriko.
The list "a" was being set to NULL when we found an attribute match for a macro, but this is no longer necessary now that we reset "a" to NULL when the memory is handed off to the working_list (which covers both the cases of finding/not finding the attribute).
We were also accessing element 0 of list "a" right after handing the memory off to the working_list, but we weren't checking if "a" was NULL first. I don't believe that "a" could be NULL at this point, but it's safest to check first in case there is some corner case we're not considering.
Pushed patch from comment#4 to master. Thanks to Noriko for her review! 1. initialized database and add attached ldif 2. performed modification as described in comment 2 RESULT: No crash - ldapmodify -x -h jgalipea-rhel4.idm.lab.bos.redhat.com -p 389 -D "uid=admin,ou=people,o=test,dc=example,dc=com" -w Secret12 -f mod.ldif modifying entry "uid=user,ou=people,o=test,dc=example,dc=com" ldap_modify: Insufficient access (50) additional info: Insufficient 'write' privilege to the 'sn' attribute of entry 'uid=user,ou=people,o=test,dc=example,dc=com'. Is this the expected result? thanks (In reply to comment #6) > 1. initialized database and add attached ldif > 2. performed modification as described in comment 2 > > RESULT: > No crash - > > ldapmodify -x -h jgalipea-rhel4.idm.lab.bos.redhat.com -p 389 -D > "uid=admin,ou=people,o=test,dc=example,dc=com" -w Secret12 -f mod.ldif > modifying entry "uid=user,ou=people,o=test,dc=example,dc=com" > ldap_modify: Insufficient access (50) > additional info: Insufficient 'write' privilege to the 'sn' attribute of entry > 'uid=user,ou=people,o=test,dc=example,dc=com'. > > Is this the expected result? > > thanks Yes, this is fine. The only thing we are looking for here is no crash. |