If you send a attribute type that is the null string e.g. "\0", the code in do_modify will reject it e.g. if ( !mod->mod_type || !*mod->mod_type ) { However, if mod->mod_type, this code will not free the 1 byte length string allocated by the previous line slapi_attr_syntax_normalize(type).
*** modify.c.~1.12.~ 2006-09-01 14:01:10.000000000 -0600 --- modify.c 2006-10-12 15:04:55.000000000 -0600 *************** *** 202,207 **** --- 202,208 ---- send_ldap_result( pb, LDAP_INVALID_SYNTAX, NULL, ebuf, 0, NULL ); slapi_ch_free((void **)&type); ber_bvecfree(mod->mod_bvalues); + ldap_memfree(mod->mod_type); slapi_ch_free((void **)&mod); goto free_and_return;
Looks good. I'm just curious... Why you chose "ldap_memfree", not "slapi_ch_free"?
Oops, you're right. I should have used slapi_ch_free_string(). Here is the new diff: *** modify.c.~1.12.~ 2006-09-01 14:01:10.000000000 -0600 --- modify.c 2006-10-12 15:52:07.000000000 -0600 *************** *** 202,207 **** --- 202,208 ---- send_ldap_result( pb, LDAP_INVALID_SYNTAX, NULL, ebuf, 0, NULL ); slapi_ch_free((void **)&type); ber_bvecfree(mod->mod_bvalues); + slapi_ch_free_string(&mod->mod_type); slapi_ch_free((void **)&mod); goto free_and_return; }
Oh, okay. Then, "no question" about it. ;)
Reviewed by: nhosoi (Thanks!) Files: see diff Branch: HEAD Fix Description: Just call ldap_memfree() with the mod->mod_type. This is safe to call with NULL. Platforms tested: RHEL4 Flag Day: no Doc impact: no Checking in modify.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/modify.c,v <-- modify.c new revision: 1.13; previous revision: 1.12 done
Verified that we are indeed freeing the mod type in the current code. Marking as VERIFIED.