==30265== Invalid read of size 1 ==30265== at 0x4C4DAE4: comp_cmp (attr.c:98) ==30265== by 0x4C4DBED: slapi_attr_type_cmp (attr.c:131) ==30265== by 0x4CAF1C7: default_mr_filter_match (plugin_mr.c:391) ==30265== by 0x4C7589B: test_extensible_filter (filterentry.c:588) ==30265== by 0x4C763F1: slapi_vattr_filter_test_ext_internal (filterentry.c:953) ==30265== by 0x4C75EB7: slapi_vattr_filter_test_ext (filterentry.c:842) ==30265== by 0x4C75DEE: slapi_vattr_filter_test (filterentry.c:790) ==30265== by 0x9A43860: ldbm_back_next_search_entry_ext (ldbm_search.c:1598) ==30265== by 0x9A42CA6: ldbm_back_next_search_entry (ldbm_search.c:1309) ==30265== by 0x4C9ECE8: iterate (opshared.c:1183) ==30265== by 0x4C9F5E8: send_results_ext (opshared.c:1580) ==30265== by 0x4C9E3F9: op_shared_search (opshared.c:764) ==30265== by 0x42CACA: do_search (search.c:397) ==30265== by 0x414089: connection_dispatch_operation (connection.c:619) ==30265== by 0x4158F4: connection_threadmain (connection.c:2336) ==30265== by 0x36C3628442: ??? (in /lib64/libnspr4.so) ==30265== by 0x3936C07B40: start_thread (pthread_create.c:305) ==30265== by 0x39360DF49C: clone (clone.S:115) ==30265== Address 0x5123ae0 is 0 bytes inside a block of size 19 free'd ==30265== at 0x4A055FE: free (vg_replace_malloc.c:366) ==30265== by 0x4C5552D: slapi_ch_free (ch_malloc.c:363) ==30265== by 0x4C72530: filter_normalize_ext (filter.c:1163) ==30265== by 0x4C725CD: slapi_filter_normalize (filter.c:1189) ==30265== by 0x9A42281: ldbm_back_search (ldbm_search.c:882) ==30265== by 0x4C9E30D: op_shared_search (opshared.c:714) ==30265== by 0x42CACA: do_search (search.c:397) ==30265== by 0x414089: connection_dispatch_operation (connection.c:619) ==30265== by 0x4158F4: connection_threadmain (connection.c:2336) ==30265== by 0x36C3628442: ??? (in /lib64/libnspr4.so) ==30265== by 0x3936C07B40: start_thread (pthread_create.c:305) ==30265== by 0x39360DF49C: clone (clone.S:115)
==13399== Thread 41: ==13399== Invalid read of size 8 ==13399== at 0x4CA061D: slapi_pblock_get (pblock.c:153) ==13399== by 0x53A09DF: ces_filter_ava (ces.c:305) ==13399== by 0x4CAF218: default_mr_filter_match (plugin_mr.c:398) ==13399== by 0x4C7589B: test_extensible_filter (filterentry.c:588) ==13399== by 0x4C763F1: slapi_vattr_filter_test_ext_internal (filterentry.c:953) ==13399== by 0x4C75EB7: slapi_vattr_filter_test_ext (filterentry.c:842) ==13399== by 0x4C75DEE: slapi_vattr_filter_test (filterentry.c:790) ==13399== by 0x9A43860: ldbm_back_next_search_entry_ext (ldbm_search.c:1598) ==13399== by 0x9A42CA6: ldbm_back_next_search_entry (ldbm_search.c:1309) ==13399== by 0x4C9ECE8: iterate (opshared.c:1183) ==13399== by 0x4C9F5E8: send_results_ext (opshared.c:1580) ==13399== by 0x4C9E3F9: op_shared_search (opshared.c:764) ==13399== by 0x42CAEF: do_search (search.c:400) ==13399== by 0x414089: connection_dispatch_operation (connection.c:619) ==13399== by 0x4158F4: connection_threadmain (connection.c:2336) ==13399== by 0x36C3628442: ??? (in /lib64/libnspr4.so) ==13399== by 0x3936C07B40: start_thread (pthread_create.c:305) ==13399== by 0x39360DF49C: clone (clone.S:115) ==13399== Address 0x0 is not stack'd, malloc'd or (recently) free'd
git patch file (master) 0001-Trac-Ticket-275-Invalid-read-reported-by-valgrind.patch
Fix description: Since the matching rule type could be normalized and the original string could be freed in filter_normalize_ext, the type needs to have a duplicated string (bitwise.c, plugin_mr.c).
Filter_ava functions and filter_sub functions in the syntax plugins need to check if the passed pblock is NULL or not before accessing it.
Reviewed by Nathan (Thank you!!).
Pushed to master.
$ git merge trac275 Updating 43ec9da..c08e877 Fast-forward ldap/servers/plugins/bitwise/bitwise.c | 3 ++- ldap/servers/plugins/syntaxes/bitstring.c | 14 ++++++++------ ldap/servers/plugins/syntaxes/ces.c | 11 +++++++---- ldap/servers/plugins/syntaxes/cis.c | 11 +++++++---- ldap/servers/plugins/syntaxes/deliverymethod.c | 11 +++++++---- ldap/servers/plugins/syntaxes/dn.c | 9 ++++++--- ldap/servers/plugins/syntaxes/facsimile.c | 11 +++++++---- ldap/servers/plugins/syntaxes/guide.c | 11 +++++++---- ldap/servers/plugins/syntaxes/int.c | 9 ++++++--- ldap/servers/plugins/syntaxes/nameoptuid.c | 11 +++++++---- ldap/servers/plugins/syntaxes/numericstring.c | 9 ++++++--- ldap/servers/plugins/syntaxes/sicis.c | 11 +++++++---- ldap/servers/plugins/syntaxes/string.c | 17 +++++++++++------ ldap/servers/plugins/syntaxes/tel.c | 11 +++++++---- ldap/servers/plugins/syntaxes/teletex.c | 11 +++++++---- ldap/servers/plugins/syntaxes/telex.c | 9 ++++++--- ldap/servers/slapd/plugin_mr.c | 8 ++++---- ldap/servers/slapd/search.c | 3 +++ 18 files changed, 115 insertions(+), 65 deletions(-)
$ git push Counting objects: 51, done. Delta compression using up to 2 threads. Compressing objects: 100% (25/25), done. Writing objects: 100% (26/26), 3.64 KiB, done. Total 26 (delta 22), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 43ec9da..c08e877 master -> master
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=788728
Added initial screened field value.
Metadata Update from @rmeggins: - Issue assigned to nhosoi - Issue set to the milestone: 1.2.10.rc1
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/275
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.