Bug 690536 - Double free in dse_add()
Double free in dse_add()
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
: screened
Depends On: 690526
  Show dependency treegraph
Reported: 2011-03-24 11:40 EDT by Nathan Kinder
Modified: 2015-01-04 18:47 EST (History)
6 users (show)

See Also:
Fixed In Version: 389-ds-base-1.2.8-0.8.rc2.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 690526
Last Closed: 2011-05-19 08:42:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nathan Kinder 2011-03-24 11:40:27 EDT
+++ This bug was initially created as a clone of Bug #690526 +++

It's possible to encounter a double free of a Slapi_Entry in an error condition in dse_add().  This function makes a copy of the entry being added for use by postop plug-ins, but it can be free'd twice in the following code:

  e_copy = slapi_entry_dup(e);
  if ( dse_add_entry_pb(pdse, e_copy, pb) != 0)
      slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
      return dse_add_return(error, e_copy);

The dse_add_entry_pb() function frees the passed in entry in all conditions, but dse_add_return() also free's the passed in entry.  This double free could trigger a crash.

The way dse_add works is that entry in SLAPI_ADD_ENTRY in the pblock should be consumed upon success, but will be left for the caller to deal with upon failure.  We should be passing NULL for the second argument to dse_add_return() to avoid the double free.

--- Additional comment from nkinder@redhat.com on 2011-03-24 11:18:30 EDT ---

Created attachment 487370 [details]
Patch for cov#10734

--- Additional comment from rmeggins@redhat.com on 2011-03-24 11:24:27 EDT ---

Do we need to get this in asap?

--- Additional comment from nkinder@redhat.com on 2011-03-24 11:37:24 EDT ---

(In reply to comment #2)
> Do we need to get this in asap?

I don't know how easy it is to trigger this issue since it is in an error block when adding an entry to the dse backend, but it seems like we should try to get it in ASAP to me.

--- Additional comment from nkinder@redhat.com on 2011-03-24 11:39:15 EDT ---

Pushed to master.  Thanks to Rich for his review!

Counting objects: 11, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.02 KiB, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   b41338f..1b22679  master -> master
Comment 1 Jenny Galipeau 2011-03-24 11:43:09 EDT
Can you please add steps to reproduce? Thanks jenny
Comment 2 Nathan Kinder 2011-03-24 11:46:59 EDT
(In reply to comment #1)
> Can you please add steps to reproduce? Thanks jenny

Sorry, this was found via a Coverity scan.  The issue can only be triggered by some sort of internal error condition, so I don't know how easy it would be to reproduce.  I believe we should re-run Coverity for verification.
Comment 3 Rich Megginson 2011-03-28 18:59:19 EDT
Checking in 0008-Bug-690526-cov-10734-Double-free-in-dse_add.patch;
/cvs/dist/rpms/389-ds-base/RHEL-6/0008-Bug-690526-cov-10734-Double-free-in-dse_add.patch,v  <--  0008-Bug-690526-cov-10734-Double-free-in-dse_add.patch
initial revision: 1.1
Checking in 389-ds-base.spec;
/cvs/dist/rpms/389-ds-base/RHEL-6/389-ds-base.spec,v  <--  389-ds-base.spec
new revision: 1.19; previous revision: 1.18
Comment 5 Chandrasekar Kannan 2011-04-20 19:36:32 EDT
Coverity related. Can I ask dev to confirm that subsequent coverity runs aren't showing this issue ?.
Comment 6 Rich Megginson 2011-04-29 10:22:17 EDT
verified - coverity shows no issue
Comment 7 Amita Sharma 2011-05-02 01:49:50 EDT
Thanks for the confirmation Rich.
Comment 8 errata-xmlrpc 2011-05-19 08:42:55 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.