Bug 690536

Summary: Double free in dse_add()
Product: Red Hat Enterprise Linux 6 Reporter: Nathan Kinder <nkinder>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: amsharma, benl, dpal, jgalipea, kevinu, rmeggins
Target Milestone: rcKeywords: screened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.8-0.8.rc2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 690526 Environment:
Last Closed: 2011-05-19 12:42:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 690526    
Bug Blocks:    

Description Nathan Kinder 2011-03-24 15:40:27 UTC 
+++ This bug was initially created as a clone of Bug #690526 +++

It's possible to encounter a double free of a Slapi_Entry in an error condition in dse_add().  This function makes a copy of the entry being added for use by postop plug-ins, but it can be free'd twice in the following code:

  e_copy = slapi_entry_dup(e);
  if ( dse_add_entry_pb(pdse, e_copy, pb) != 0)
  {
      slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
      slapi_sdn_done(&sdn);
      return dse_add_return(error, e_copy);
  }

The dse_add_entry_pb() function frees the passed in entry in all conditions, but dse_add_return() also free's the passed in entry.  This double free could trigger a crash.

The way dse_add works is that entry in SLAPI_ADD_ENTRY in the pblock should be consumed upon success, but will be left for the caller to deal with upon failure.  We should be passing NULL for the second argument to dse_add_return() to avoid the double free.

--- Additional comment from nkinder on 2011-03-24 11:18:30 EDT ---

Created attachment 487370 [details]
Patch for cov#10734

--- Additional comment from rmeggins on 2011-03-24 11:24:27 EDT ---

Do we need to get this in asap?

--- Additional comment from nkinder on 2011-03-24 11:37:24 EDT ---

(In reply to comment #2)
> Do we need to get this in asap?

I don't know how easy it is to trigger this issue since it is in an error block when adding an entry to the dse backend, but it seems like we should try to get it in ASAP to me.

--- Additional comment from nkinder on 2011-03-24 11:39:15 EDT ---

Pushed to master.  Thanks to Rich for his review!

Counting objects: 11, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.02 KiB, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   b41338f..1b22679  master -> master
Comment 1 Jenny Severance 2011-03-24 15:43:09 UTC 
Can you please add steps to reproduce? Thanks jenny
Comment 2 Nathan Kinder 2011-03-24 15:46:59 UTC 
(In reply to comment #1)
> Can you please add steps to reproduce? Thanks jenny

Sorry, this was found via a Coverity scan.  The issue can only be triggered by some sort of internal error condition, so I don't know how easy it would be to reproduce.  I believe we should re-run Coverity for verification.
Comment 3 Rich Megginson 2011-03-28 22:59:19 UTC 
Checking in 0008-Bug-690526-cov-10734-Double-free-in-dse_add.patch;
/cvs/dist/rpms/389-ds-base/RHEL-6/0008-Bug-690526-cov-10734-Double-free-in-dse_add.patch,v  <--  0008-Bug-690526-cov-10734-Double-free-in-dse_add.patch
initial revision: 1.1
done
Checking in 389-ds-base.spec;
/cvs/dist/rpms/389-ds-base/RHEL-6/389-ds-base.spec,v  <--  389-ds-base.spec
new revision: 1.19; previous revision: 1.18
done
Comment 5 Chandrasekar Kannan 2011-04-20 23:36:32 UTC 
Coverity related. Can I ask dev to confirm that subsequent coverity runs aren't showing this issue ?.
Comment 6 Rich Megginson 2011-04-29 14:22:17 UTC 
verified - coverity shows no issue
Comment 7 Amita Sharma 2011-05-02 05:49:50 UTC 
Thanks for the confirmation Rich.
Comment 8 errata-xmlrpc 2011-05-19 12:42:55 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0533.html