If you have an ACI with multiple macros in it and the second attribtue does not exist in the entry you are bound as, the in-memory list used for macro substitution is free'd twice. The code swaps hands the charray it plans to return after substitution over to a working list, but it doesn't set the return list to NULL. When the second macro attribute is not found, the working list is free'd, yet the address is returned to the caller, who then tries to free the list a second time. The fix is to set the list to be returned to NULL when the memory is handed over to the working list.
Created attachment 355736 [details] Patch
Created attachment 355737 [details] Test LDIF Import this LDIF to reproduce the bug. To trigger the crash, perform the following operation as the "uid=admin,ou=people,o=test,dc=example,dc=com" user: dn: uid=user,ou=people,o=test,dc=example,dc=com changetype: modify add: sn sn: foo
Created attachment 355739 [details] Test LDIF
Created attachment 355753 [details] Revised patch This fix addresses some issues pointed out by Noriko. The list "a" was being set to NULL when we found an attribute match for a macro, but this is no longer necessary now that we reset "a" to NULL when the memory is handed off to the working_list (which covers both the cases of finding/not finding the attribute). We were also accessing element 0 of list "a" right after handing the memory off to the working_list, but we weren't checking if "a" was NULL first. I don't believe that "a" could be NULL at this point, but it's safest to check first in case there is some corner case we're not considering.
Pushed patch from comment#4 to master. Thanks to Noriko for her review!
1. initialized database and add attached ldif 2. performed modification as described in comment 2 RESULT: No crash - ldapmodify -x -h jgalipea-rhel4.idm.lab.bos.redhat.com -p 389 -D "uid=admin,ou=people,o=test,dc=example,dc=com" -w Secret12 -f mod.ldif modifying entry "uid=user,ou=people,o=test,dc=example,dc=com" ldap_modify: Insufficient access (50) additional info: Insufficient 'write' privilege to the 'sn' attribute of entry 'uid=user,ou=people,o=test,dc=example,dc=com'. Is this the expected result? thanks
(In reply to comment #6) > 1. initialized database and add attached ldif > 2. performed modification as described in comment 2 > > RESULT: > No crash - > > ldapmodify -x -h jgalipea-rhel4.idm.lab.bos.redhat.com -p 389 -D > "uid=admin,ou=people,o=test,dc=example,dc=com" -w Secret12 -f mod.ldif > modifying entry "uid=user,ou=people,o=test,dc=example,dc=com" > ldap_modify: Insufficient access (50) > additional info: Insufficient 'write' privilege to the 'sn' attribute of entry > 'uid=user,ou=people,o=test,dc=example,dc=com'. > > Is this the expected result? > > thanks Yes, this is fine. The only thing we are looking for here is no crash.