Bug 602532 - coverity: agmtlist_delete_callback: object_release and objset_remove_obj
Summary: coverity: agmtlist_delete_callback: object_release and objset_remove_obj
Alias: None
Product: 389
Classification: Retired
Component: Replication - General
Version: 1.2.6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: 434915 389_1.2.7
TreeView+ depends on / blocked
Reported: 2010-06-10 04:18 UTC by Noriko Hosoi
Modified: 2015-01-04 23:42 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-09-14 18:48:04 UTC

Attachments (Terms of Use)

Description Noriko Hosoi 2010-06-10 04:18:41 UTC
Description of problem:
12277 USE_AFTER_FREE Triaged Bug Minor Fix Required agmtlist_delete_callback()
file: ds/ldap/servers/plugins/replication/repl5_agmtlist.c

Status:  	New  	→  	Triaged
Classification: 	Unclassified 	→ 	Bug
Action: 	Undecided 	→ 	Fix Required
Severity: 	Unspecified 	→ 	Minor

objset_find acquires a reference to ro - the object_release releases that reference - objset_remove_obj will release the reference the agmt_set has on ro - this should be the last reference and should free ro - should set ro to NULL to avoid any further references

Comment 2 Noriko Hosoi 2010-09-14 18:48:04 UTC
The current coding is correct. It has no chance to use the address of an object after freed. Here's the reason. When an object is added to an objset, refcnt is incremented by 1. In agmtlist_delete_callback, ro is returned from objset_find, which increments refcnt by 1. I.e., at least, the refcnt is 2 at the line 538. In object_release, refcnt is decreased by 1, where refcnt is still positive and the object ro is left untouched. The following objset_remove_obj really releases the object regardless of the refcnt value. Also, the function objset_remove_obj asserts the given object must not be NULL "PR_ASSERT(NULL != object);"

Note You need to log in before you can comment on or make changes to this bug.