Red Hat Bugzilla – Bug 690536
Double free in dse_add()
Last modified: 2015-01-04 18:47:30 EST
+++ This bug was initially created as a clone of Bug #690526 +++
It's possible to encounter a double free of a Slapi_Entry in an error condition in dse_add(). This function makes a copy of the entry being added for use by postop plug-ins, but it can be free'd twice in the following code:
e_copy = slapi_entry_dup(e);
if ( dse_add_entry_pb(pdse, e_copy, pb) != 0)
slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
return dse_add_return(error, e_copy);
The dse_add_entry_pb() function frees the passed in entry in all conditions, but dse_add_return() also free's the passed in entry. This double free could trigger a crash.
The way dse_add works is that entry in SLAPI_ADD_ENTRY in the pblock should be consumed upon success, but will be left for the caller to deal with upon failure. We should be passing NULL for the second argument to dse_add_return() to avoid the double free.
--- Additional comment from email@example.com on 2011-03-24 11:18:30 EDT ---
Created attachment 487370 [details]
Patch for cov#10734
--- Additional comment from firstname.lastname@example.org on 2011-03-24 11:24:27 EDT ---
Do we need to get this in asap?
--- Additional comment from email@example.com on 2011-03-24 11:37:24 EDT ---
(In reply to comment #2)
> Do we need to get this in asap?
I don't know how easy it is to trigger this issue since it is in an error block when adding an entry to the dse backend, but it seems like we should try to get it in ASAP to me.
--- Additional comment from firstname.lastname@example.org on 2011-03-24 11:39:15 EDT ---
Pushed to master. Thanks to Rich for his review!
Counting objects: 11, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.02 KiB, done.
Total 6 (delta 4), reused 0 (delta 0)
b41338f..1b22679 master -> master
Can you please add steps to reproduce? Thanks jenny
(In reply to comment #1)
> Can you please add steps to reproduce? Thanks jenny
Sorry, this was found via a Coverity scan. The issue can only be triggered by some sort of internal error condition, so I don't know how easy it would be to reproduce. I believe we should re-run Coverity for verification.
Checking in 0008-Bug-690526-cov-10734-Double-free-in-dse_add.patch;
/cvs/dist/rpms/389-ds-base/RHEL-6/0008-Bug-690526-cov-10734-Double-free-in-dse_add.patch,v <-- 0008-Bug-690526-cov-10734-Double-free-in-dse_add.patch
initial revision: 1.1
Checking in 389-ds-base.spec;
/cvs/dist/rpms/389-ds-base/RHEL-6/389-ds-base.spec,v <-- 389-ds-base.spec
new revision: 1.19; previous revision: 1.18
Coverity related. Can I ask dev to confirm that subsequent coverity runs aren't showing this issue ?.
verified - coverity shows no issue
Thanks for the confirmation Rich.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.