[Pkg-openldap-devel] slapd crash on specific search query (#863569)

Ryan Tandy ryan at nardis.ca
Sun May 28 23:31:22 UTC 2017 

On Sun, May 28, 2017 at 10:54:38PM +0200, Moritz Muehlenhoff wrote:
>Let's fix this via security.debian.org, can you please send a debdiff
>for jessie-security when ready?

Attached.
-------------- next part --------------
diff -u openldap-2.4.40+dfsg/debian/changelog openldap-2.4.40+dfsg/debian/changelog
--- openldap-2.4.40+dfsg/debian/changelog
+++ openldap-2.4.40+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+openldap (2.4.40+dfsg-1+deb8u3) jessie-security; urgency=medium
+
+  * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free 
+    in the MDB backend on a search including the Paged Results control with a 
+    page size of 0. (ITS#8655) (Closes: #863563)
+
+ -- Ryan Tandy <ryan at nardis.ca>  Sun, 28 May 2017 16:08:03 -0700
+
 openldap (2.4.40+dfsg-1+deb8u2) jessie; urgency=medium
 
   * debian/patches/ITS8003-fix-off-by-one-in-LDIF-length.patch: Import
diff -u openldap-2.4.40+dfsg/debian/patches/series openldap-2.4.40+dfsg/debian/patches/series
--- openldap-2.4.40+dfsg/debian/patches/series
+++ openldap-2.4.40+dfsg/debian/patches/series
@@ -28,0 +29 @@
+ITS-8655-paged-results-double-free.patch
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/ITS-8655-paged-results-double-free.patch
+++ openldap-2.4.40+dfsg/debian/patches/ITS-8655-paged-results-double-free.patch
@@ -0,0 +1,28 @@
+From 0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan at nardis.ca>
+Date: Wed, 17 May 2017 20:07:39 -0700
+Subject: [PATCH] ITS#8655 fix double free on paged search with pagesize 0
+
+Fixes a double free when a search includes the Paged Results control
+with a page size of 0 and the search base matches the filter.
+---
+ servers/slapd/back-mdb/search.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c
+index 301d1a4..43442aa 100644
+--- a/servers/slapd/back-mdb/search.c
++++ b/servers/slapd/back-mdb/search.c
+@@ -1066,7 +1066,8 @@ notfound:
+ 			/* check size limit */
+ 			if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {
+ 				if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) {
+-					mdb_entry_return( op, e );
++					if (e != base)
++						mdb_entry_return( op, e );
+ 					e = NULL;
+ 					send_paged_response( op, rs, &lastid, tentries );
+ 					goto done;
+-- 
+2.1.4
+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20170528/4784f894/attachment-0001.sig>

More information about the Pkg-openldap-devel mailing list