Bug 614511 - fix coverity Defect Type: Null pointer dereferences issues 11846 - 11891
Summary: fix coverity Defect Type: Null pointer dereferences issues 11846 - 11891
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: 389
Classification: Retired
Component: Directory Server
Version: 1.2.7
Hardware: All
OS: All
high
low
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 389_1.2.7 636700 639035
TreeView+ depends on / blocked
 
Reported: 2010-07-14 16:03 UTC by Endi Sukma Dewata
Modified: 2015-01-04 23:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-01-03 19:54:25 UTC
Embargoed:


Attachments (Terms of Use)
0001-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (2.22 KB, patch)
2010-07-15 17:57 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0002-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (2.09 KB, patch)
2010-07-15 17:58 UTC, Endi Sukma Dewata
nhosoi: review-
Details | Diff
0003-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.43 KB, patch)
2010-07-15 17:58 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0004-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.83 KB, patch)
2010-07-15 17:58 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0005-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (2.08 KB, patch)
2010-07-15 17:59 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0006-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.68 KB, patch)
2010-07-15 17:59 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0007-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (5.28 KB, patch)
2010-07-15 17:59 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0008-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (2.95 KB, patch)
2010-07-15 18:00 UTC, Endi Sukma Dewata
nhosoi: review-
Details | Diff
0009-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.72 KB, patch)
2010-07-15 18:01 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0010-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (2.16 KB, patch)
2010-07-15 18:03 UTC, Endi Sukma Dewata
nhosoi: review-
Details | Diff
0011-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (2.04 KB, patch)
2010-07-15 18:04 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0012-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.22 KB, patch)
2010-07-15 18:07 UTC, Endi Sukma Dewata
nhosoi: review-
Details | Diff
0013-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (2.20 KB, patch)
2010-07-15 18:07 UTC, Endi Sukma Dewata
nhosoi: review-
Details | Diff
0014-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.24 KB, patch)
2010-07-15 18:08 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0015-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.20 KB, patch)
2010-07-15 18:08 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0016-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (2.07 KB, patch)
2010-07-15 18:09 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0017-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.08 KB, patch)
2010-07-15 18:09 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0018-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.37 KB, patch)
2010-07-15 18:09 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0019-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (967 bytes, patch)
2010-07-15 18:10 UTC, Endi Sukma Dewata
nhosoi: review-
Details | Diff
0020-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.50 KB, patch)
2010-07-15 18:10 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0021-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.19 KB, patch)
2010-07-15 18:11 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0022-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.18 KB, patch)
2010-07-15 18:11 UTC, Endi Sukma Dewata
nhosoi: review-
Details | Diff
0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (3.50 KB, patch)
2010-07-15 18:12 UTC, Endi Sukma Dewata
nhosoi: review-
Details | Diff
0001-Bug-614511-fix-coverity-Defect-Type-Null-pointer-der.patch (2.20 KB, patch)
2010-08-16 23:10 UTC, Noriko Hosoi
nhosoi: review?
rmeggins: review+
Details | Diff
0002a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.71 KB, patch)
2010-08-17 23:07 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0008a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.27 KB, patch)
2010-08-17 23:09 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0010a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (2.52 KB, patch)
2010-08-17 23:14 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0012a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (2.59 KB, patch)
2010-08-17 23:19 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0013a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (2.19 KB, patch)
2010-08-17 23:21 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0018a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1.36 KB, patch)
2010-08-17 23:24 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0019a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (1006 bytes, patch)
2010-08-17 23:26 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0022a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (5.50 KB, patch)
2010-08-17 23:29 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff
0023a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch (4.52 KB, patch)
2010-08-17 23:33 UTC, Endi Sukma Dewata
nhosoi: review+
Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0003 0 normal SHIPPED_LIVE redhat-ds-base bug fix update 2011-01-03 19:54:07 UTC

Description Endi Sukma Dewata 2010-07-14 16:03:08 UTC
fix coverity Defect Type: Null pointer dereferences issues 11846 - 11891

Comment 2 Endi Sukma Dewata 2010-07-15 17:57:39 UTC
Created attachment 432160 [details]
0001-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 3 Endi Sukma Dewata 2010-07-15 17:58:04 UTC
Created attachment 432161 [details]
0002-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 4 Endi Sukma Dewata 2010-07-15 17:58:38 UTC
Created attachment 432163 [details]
0003-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 5 Endi Sukma Dewata 2010-07-15 17:58:56 UTC
Created attachment 432164 [details]
0004-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 6 Endi Sukma Dewata 2010-07-15 17:59:14 UTC
Created attachment 432165 [details]
0005-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 7 Endi Sukma Dewata 2010-07-15 17:59:32 UTC
Created attachment 432166 [details]
0006-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 8 Endi Sukma Dewata 2010-07-15 17:59:57 UTC
Created attachment 432167 [details]
0007-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 9 Endi Sukma Dewata 2010-07-15 18:00:17 UTC
Created attachment 432168 [details]
0008-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 10 Endi Sukma Dewata 2010-07-15 18:01:13 UTC
Created attachment 432169 [details]
0009-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 11 Endi Sukma Dewata 2010-07-15 18:03:20 UTC
Created attachment 432170 [details]
0010-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 12 Endi Sukma Dewata 2010-07-15 18:04:24 UTC
Created attachment 432171 [details]
0011-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 13 Endi Sukma Dewata 2010-07-15 18:07:23 UTC
Created attachment 432173 [details]
0012-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 14 Endi Sukma Dewata 2010-07-15 18:07:50 UTC
Created attachment 432174 [details]
0013-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 15 Endi Sukma Dewata 2010-07-15 18:08:12 UTC
Created attachment 432175 [details]
0014-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 16 Endi Sukma Dewata 2010-07-15 18:08:39 UTC
Created attachment 432176 [details]
0015-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 17 Endi Sukma Dewata 2010-07-15 18:09:07 UTC
Created attachment 432177 [details]
0016-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 18 Endi Sukma Dewata 2010-07-15 18:09:32 UTC
Created attachment 432178 [details]
0017-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 19 Endi Sukma Dewata 2010-07-15 18:09:56 UTC
Created attachment 432180 [details]
0018-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 20 Endi Sukma Dewata 2010-07-15 18:10:18 UTC
Created attachment 432181 [details]
0019-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 21 Endi Sukma Dewata 2010-07-15 18:10:43 UTC
Created attachment 432182 [details]
0020-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 22 Endi Sukma Dewata 2010-07-15 18:11:15 UTC
Created attachment 432183 [details]
0021-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 23 Endi Sukma Dewata 2010-07-15 18:11:39 UTC
Created attachment 432184 [details]
0022-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 24 Endi Sukma Dewata 2010-07-15 18:12:00 UTC
Created attachment 432185 [details]
0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Comment 28 Noriko Hosoi 2010-08-13 23:45:09 UTC
Comment on attachment 432184 [details]
0022-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11849&streamDefectId=12035&defectInstanceId=13897&fileInstanceId=49057

Comment:
slapi_pblock_get does not use pb->pb_op in the SLAPI_BACKEND case but this code should do better checking

I agree with your comment.  Let's check all the places in pblock.c that references pblock->pb_op w/o checking NULL.  

E.g.,
 378     case SLAPI_OPINITIATED_TIME:
 379         (*(time_t *)value) = pblock->pb_op->o_time;
 380         break;

Comment 30 Noriko Hosoi 2010-08-14 00:00:59 UTC
Comment on attachment 432181 [details]
0019-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11851&streamDefectId=12037&defectInstanceId=13899&fileInstanceId=48964

Let's improve the addlenstr side.
diff --git a/ldap/servers/slapd/lenstr.c b/ldap/servers/slapd/lenstr.c
index 23229f5..ec343d4 100644
--- a/ldap/servers/slapd/lenstr.c
+++ b/ldap/servers/slapd/lenstr.c
@@ -56,7 +56,11 @@
 void
 addlenstr( lenstr *l, const char *str )
 {
-    size_t len = strlen( str );
+    size_t len;
+    if (NULL == l || NULL == str) {
+        return;
+    }
+    len = strlen( str );
 
     if ( l->ls_buf == NULL ) {

 addlenstr( lenstr *l, const char *str )
 {
-    size_t len = strlen( str );
+    size_t len;
+    if (NULL == str) {
+        return;
+    }
+    len = strlen( str );
 
     if ( l->ls_buf == NULL ) {

Comment 31 Noriko Hosoi 2010-08-14 00:25:01 UTC
Comment on attachment 432185 [details]
0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11852&streamDefectId=12038&defectInstanceId=13900&fileInstanceId=49125

Arguments types and buffer_flags are for returning the output from slapi_vattr_list_attrs.
int slapi_vattr_list_attrs(/* Entry we're interested in */ Slapi_Entry *e,
                    /* pointer to receive the list */ vattr_type_thang **types,
                    int flags, int *buffer_flags)

Probably, we could skip the operation if no output params are given.
diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c
index b234582..d83b4d0 100644
--- a/ldap/servers/slapd/vattr.c
+++ b/ldap/servers/slapd/vattr.c
@@ -1215,6 +1215,11 @@ int slapi_vattr_list_attrs(/* Entry we're interested in *
        size_t block_length = 0;
        vattr_type_list_context type_context = {0};
 
+    if (NULL == types || NULL == buffer_flags) {
+        LDAPDebug(LDAP_DEBUG_ANY, "slapi_vattr_list_attrs: invalid param\n", 0,
+        return -1;
+    }
+
        block_length  = 1 + TYPE_LIST_EXTRA_SPACE;

Comment 34 Noriko Hosoi 2010-08-14 00:53:48 UTC
Comment on attachment 432161 [details]
0002-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11857&streamDefectId=12043&defectInstanceId=13906&fileInstanceId=49271

Let's improve slapi_sdn_done side.
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
index e50ec76..01ab536 100644
--- a/ldap/servers/slapd/dn.c
+++ b/ldap/servers/slapd/dn.c
@@ -1872,6 +1872,9 @@ slapi_sdn_set_parent(Slapi_DN *sdn, const Slapi_DN *parent
 void
 slapi_sdn_done(Slapi_DN *sdn)
 {
+    if (NULL == sdn) {
+        return;
+    }
     /* sdn_dump( sdn, "slapi_sdn_done"); */
     if(sdn->dn!=NULL)
     {

Comment 36 Noriko Hosoi 2010-08-14 01:02:25 UTC
(In reply to comment #34)
> (From update of attachment 432161 [details])
> http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11857&streamDefectId=12043&defectInstanceId=13906&fileInstanceId=49271
> 
> Let's improve slapi_sdn_done side.
> diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
> index e50ec76..01ab536 100644
> --- a/ldap/servers/slapd/dn.c
> +++ b/ldap/servers/slapd/dn.c
> @@ -1872,6 +1872,9 @@ slapi_sdn_set_parent(Slapi_DN *sdn, const Slapi_DN
> *parent
>  void
>  slapi_sdn_done(Slapi_DN *sdn)
>  {
> +    if (NULL == sdn) {
> +        return;
> +    }
>      /* sdn_dump( sdn, "slapi_sdn_done"); */
>      if(sdn->dn!=NULL)
>      {    

This is already proposed in the patch 0020.  Therefore, we don't need this change in the patch 0002.
768  	if ( aclcb->aclcb_sdn ) slapi_sdn_done ( aclcb->aclcb_sdn );

Comment 47 Noriko Hosoi 2010-08-16 18:09:53 UTC
Comment on attachment 432168 [details]
0008-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11873&streamDefectId=12059&defectInstanceId=13922&fileInstanceId=49383

0008-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Instead of using "free", please use slapi_ch_free.

@@ -500,6 +507,21 @@ collation_indexer_create (const char* oid)
 	    break; /* failed to create the specified collator */
 	}
     }
+    goto done;
+error:
+    if (etc) {
+        free(etc);
+        etc = NULL;
+    }
     slapi_ch_free((void **)&etc);
+    if (ix) {
+        free(ix);
+        ix = NULL;
+    }
     slapi_ch_free((void **)&ix);
+    if (coll) {
+        ucol_close (coll);
+        coll = NULL;
+    }
+done:
     if (locale) {
 	PR_smprintf_free(locale);
 	locale = NULL;

Comment 49 Noriko Hosoi 2010-08-16 18:22:18 UTC
Comment on attachment 432185 [details]
0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11875&streamDefectId=12061&defectInstanceId=13924&fileInstanceId=49125

0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

slapi_ch_.*alloc functions never returns NULL (rather, it quits if memory allocation fails).  So, no need to check the return value from slapi_ch_.*alloc.

@@ -2145,21 +2149,32 @@ vattr_map_entry *vattr_map_entry_new(char *type_name, vattr_sp_handle *sph, void
 {
 	vattr_map_entry *result = NULL;
 	vattr_sp_handle *sp_copy = NULL;
        [...]
 	result = (vattr_map_entry*)slapi_ch_calloc(1, sizeof (vattr_map_entry));
	result->type_name = slapi_ch_strdup(type_name);
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	result->sp_list = sp_copy;
        ^^^^^^^^^^^^^^^^^^^^^^^^^^
 	/* go get schema */
 	result->objectclasses = vattr_map_entry_build_schema(type_name);

Comment 50 Noriko Hosoi 2010-08-16 18:28:17 UTC
Comment on attachment 432185 [details]
0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11876&streamDefectId=12062&defectInstanceId=13925&fileInstanceId=49125

0023-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Instead of PR_smprintf, please use slapi_ch_smprintf and get rid of this code (checking the return value from slapi_ch_smprintf)
Comparing "type_to_add" to null implies that "type_to_add" might be null.
 1640                        if(!type_to_add)
 1641                        {
 1642                                ret = -1;
 1643                        }
 1644

Comment 51 Noriko Hosoi 2010-08-16 18:46:19 UTC
Comment on attachment 432170 [details]
0010-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11879&streamDefectId=12065&defectInstanceId=13928&fileInstanceId=49441

0010-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

It's not what coverity reported, but there is another error to bail?
 1859    if ((old_dn = linked_attrs_get_dn(pb))) {
At conditional (3): "linked_attrs_dn_is_config(old_dn)" taking the false branch.
At conditional (4): "linked_attrs_dn_is_config(new_dn)" taking the false branch.
 1860        if (linked_attrs_dn_is_config(old_dn) || linked_attrs_dn_is_config(new_dn))
 1861            linked_attrs_load_config();
 1862    } else {
 1863        slapi_log_error(SLAPI_LOG_PLUGIN, LINK_PLUGIN_SUBSYSTEM,
 1864                        "linked_attrs_modrdn_post_op: Error "
 1865                        "retrieving dn\n");
 ????         NEED TO SET LDAP_OPERATIONS_ERROR to rc and goto done???
 1866    }

Comment 54 Noriko Hosoi 2010-08-16 20:39:59 UTC
Comment on attachment 432173 [details]
0012-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11883&streamDefectId=12069&defectInstanceId=13932&fileInstanceId=49476

0012-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

If we do error return, we should log the cause of the problem as FATAL.

static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consumerRuv,
        Object *replica, Object *fileObj, CL5ReplayIterator **iterator)
{
       [...]
        /* there is a special case which can occur just after migration - in this case,
        the consumer RUV will contain the last state of the supplier before migration,
        but the supplier will have an empty changelog, or the supplier changelog will
        not contain any entries within the consumer min and max CSN - also, since
        the purge RUV contains no CSNs, the changelog has never been purged
        ASSUMPTIONS - it is assumed that the supplier had no pending changes to send
        to any consumers; that is, we can assume that no changes were lost due to
        either changelog purging or database reload - bug# 603061 - richm
        */
        if ((rc == DB_NOTFOUND) && !ruv_has_csns(file->purgeRUV))
        {
            /* use the supplier min csn for the buffer start csn - we know
               this csn is in our changelog */
            slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl,
                            "%s: CSN %s not found and no purging, probably a reinit\n",
                            agmt_name, csnStr);
            if ((RUV_SUCCESS == ruv_get_min_csn(supplierRuv, &startCSN)) &&
                startCSN)
            { /* must now free startCSN */
                csn_as_string(startCSN, PR_FALSE, csnStr);
                slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl,
                                "%s: Will try to use supplier min CSN %s to load changelog\n",
                                agmt_name, csnStr);
                rc = clcache_load_buffer (clcache, startCSN, DB_SET);
            }
            else
            {
+             slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl,
+                         "%s: CSN %s not found and no purging, probably a reinit\n",
+                         agmt_name, csnStr);
+              slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl,
                              "%s: Could not get the min csn from the supplier RUV\n",
                              agmt_name);

+                rc = CL5_RUV_ERROR;
+                goto done;

            }
        }

Comment 55 Noriko Hosoi 2010-08-16 20:56:28 UTC
Comment on attachment 432174 [details]
0013-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

http://10.16.47.145:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11884&streamDefectId=12070&defectInstanceId=13933&fileInstanceId=49518

0013-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

Since it's an error return, we should log the message as FATAL.

@@ -1515,7 +1515,12 @@ conn_push_schema(Repl_Connection *conn, CSN **remotecsn)
 	Slapi_PBlock *spb = NULL;
 	char localcsnstr[CSN_STRSIZE + 1] = {0};
 
-	if (!conn_connected(conn))
+	if (!remotecsn)
+	{
+		return_value = CONN_OPERATION_FAILED;
+		slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "NULL remote CSN\n");
                                ^^^^^^^^^^^^^^ <-- SLAPI_LOG_FATAL
+	}
+	else if (!conn_connected(conn))

Comment 61 Noriko Hosoi 2010-08-16 22:07:06 UTC
Comment on attachment 432180 [details]
0018-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

https://bugzilla.redhat.com/show_bug.cgi?id=614511#c16

Comment 63 Noriko Hosoi 2010-08-16 23:10:11 UTC
Created attachment 439025 [details]
0001-Bug-614511-fix-coverity-Defect-Type-Null-pointer-der.patch

11856
Comment: If the aci "rule" does not include "($dn)", there is no
pointer assigined to aci_macro and matched_val is NULL.  In that
case, acllas_replace_dn_macro is supposed to return just "user"
itself regardless of [$dn].

Comment 64 Endi Sukma Dewata 2010-08-17 23:07:35 UTC
Created attachment 439242 [details]
0002a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

The patch has been modified to remove NULL value checking before slapi_sdn_done().

Comment 65 Endi Sukma Dewata 2010-08-17 23:09:40 UTC
Created attachment 439243 [details]
0008a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

The patch has been modified to use slapi_ch_free().

Comment 66 Endi Sukma Dewata 2010-08-17 23:14:17 UTC
Created attachment 439244 [details]
0010a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

The patch has been modified to return an error when old_dn is NULL.

Comment 67 Endi Sukma Dewata 2010-08-17 23:19:37 UTC
Created attachment 439246 [details]
0012a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

The patch has been modified to log messages as SLAPI_LOG_FATAL when returning an error.

Comment 68 Endi Sukma Dewata 2010-08-17 23:21:20 UTC
Created attachment 439247 [details]
0013a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

The patch has been modified to log messages as SLAPI_LOG_FATAL when returning
an error.

Comment 69 Endi Sukma Dewata 2010-08-17 23:24:02 UTC
Created attachment 439249 [details]
0018a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

The patch has been fixed to work with the latest code.

Comment 70 Endi Sukma Dewata 2010-08-17 23:26:57 UTC
Created attachment 439250 [details]
0019a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

The addlenstr() has been modified to handle NULL arguments.

Comment 71 Endi Sukma Dewata 2010-08-17 23:29:08 UTC
Created attachment 439252 [details]
0022a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

The patch has been modified to check NULL pointer before deferencing pblock->pb_op.

Comment 72 Endi Sukma Dewata 2010-08-17 23:33:52 UTC
Created attachment 439253 [details]
0023a-Bug-614511-fix-coverify-Defect-Type-Null-pointer-der.patch

The slapi_vattr_list_attrs() has been modified to return an error if either types and buffer_flags is NULL. The vattr_map_entry_new() has been modified not to check the return value of slapi_ch_calloc(). All occurences of PR_smprintf() and PR_smprintf_free() have been replaced with slapi_ch_calloc() and slapi_ch_free().

Comment 82 Noriko Hosoi 2010-08-19 20:14:57 UTC
On behalf of Endi (edewata), pushed to master.

$ git merge endi
Updating 2a40b4d..5d578b8
Fast-forward
 ldap/servers/plugins/acl/acl.c                     |   25 ++++++--
 ldap/servers/plugins/acl/acl_ext.c                 |    7 ++-
 ldap/servers/plugins/acl/aclgroup.c                |    9 ++-
 ldap/servers/plugins/acl/acllas.c                  |   31 ++++++---
 ldap/servers/plugins/acl/acllist.c                 |   12 +++-
 ldap/servers/plugins/acl/aclplugin.c               |   11 ++-
 ldap/servers/plugins/chainingdb/cb_instance.c      |   55 +++++++++++----
 ldap/servers/plugins/cos/cos_cache.c               |    9 +--
 ldap/servers/plugins/linkedattrs/linked_attrs.c    |   14 +++-
 ldap/servers/plugins/memberof/memberof.c           |   16 ++++-
 ldap/servers/plugins/replication/cl5_api.c         |   13 +++-
 .../servers/plugins/replication/repl5_connection.c |   11 ++-
 ldap/servers/plugins/replication/repl5_protocol.c  |    7 ++-
 ldap/servers/plugins/replication/repl5_replica.c   |    9 ++-
 ldap/servers/plugins/replication/repl5_ruv.c       |   24 +++----
 ldap/servers/plugins/replication/repl_extop.c      |    2 +-
 ldap/servers/plugins/replication/repl_objset.c     |    9 +--
 ldap/servers/slapd/dn.c                            |   14 +++-
 ldap/servers/slapd/filtercmp.c                     |    6 ++-
 ldap/servers/slapd/lenstr.c                        |    6 ++-
 ldap/servers/slapd/pblock.c                        |   69 ++++++++++++++-----
 ldap/servers/slapd/vattr.c                         |   40 ++++++------
 22 files changed, 270 insertions(+), 129 deletions(-)

$ git push
Counting objects: 189, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (156/156), done.
Writing objects: 100% (156/156), 16.89 KiB, done.
Total 156 (delta 128), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   2a40b4d..5d578b8  master -> master

Comment 83 Nathan Kinder 2010-12-09 19:54:19 UTC
Pushed to Directory_Server_8_2_Branch.

Counting objects: 29, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (21/21), done.
Writing objects: 100% (21/21), 4.23 KiB, done.
Total 21 (delta 15), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   1176d3f..975f86c  ds82-local -> Directory_Server_8_2_Branch

Comment 85 Noriko Hosoi 2010-12-21 21:49:52 UTC
Verified the patch pushed to Directory_Server_8_2_Branch by Nathan in Comment 83.

Note: this "verify" is NOT about all the patches attached to this bug.  Also, this bug blocks DSIPA2.0.  We have to change the status of this bug back to ON_QA or duplicate a bug for DSIPA2.0.

Preparation:
1) Downloaded the SRC RPM file and installed it on the local host.
http://download.devel.redhat.com/brewroot/packages/redhat-ds-base/8.2.3/2.el4dsrv/src/redhat-ds-base-8.2.3-2.el4dsrv.src.rpm

2) Checked out the source tree ds.git origin/Directory_Server_8_2_Branch

Commit comment:
commit 975f86cf41083b91709445c2d5af889cf5aa2e3b
Author: Endi S. Dewata <edewata>
Date:   Mon Jul 12 23:18:20 2010 -0500

    Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891

    https://bugzilla.redhat.com/show_bug.cgi?id=614511
    Resolves: bug 614511
    Bug description: Fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891
    description: Catch possible NULL pointer in slapi_dn_normalize_ext() and slapi_sdn_done().

Committed patch:
$ git diff -r 4c35ffcf54d6f829c9bfe317308e301e99061acf 975f86cf41083b91709445c2d5af889cf5aa2e3b
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
index 0b74c4f..227a41e 100644
--- a/ldap/servers/slapd/dn.c
+++ b/ldap/servers/slapd/dn.c
@@ -1061,10 +1061,12 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char *
     *dest_len = d - *dest;
 bail:
     if (rc < 0) {
-        if (*dest != src) {
-            slapi_ch_free_string(dest);
-        } else {
-            *dest = NULL;
+        if (dest != NULL) {
+            if (*dest != src) {
+                slapi_ch_free_string(dest);
+            } else {
+                *dest = NULL;
+            }
         }
         *dest_len = 0;
     } else if (rc > 0) {
@@ -1981,6 +1983,10 @@ void
 slapi_sdn_done(Slapi_DN *sdn)
 {
     /* sdn_dump( sdn, "slapi_sdn_done"); */
+    if(sdn==NULL)
+    {
+        return;
+    }
     if(sdn->dn!=NULL)
     {
         if(slapi_isbitset_uchar(sdn->flag,FLAG_DN))

Compare dn.c from SRC RPM with the one from git.ds -- MATCHED:
# diff rpmbuild/SOURCES/redhat-ds-base-8.2.3/ldap/servers/slapd/dn.c /export/src/ds82/ldapserver/ldap/servers/slapd/dn.c
#

Comment 87 errata-xmlrpc 2011-01-03 19:54:25 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0003.html


Note You need to log in before you can comment on or make changes to this bug.