A very old fix made on str2simple introduced this logic error.
@@ -275,13 +277,17 @@ str2simple( char *str ) } f->f_avvalue.bv_val = unqstr; f->f_avvalue.bv_len = len2; - } + } if ( !unescape_filter ) { + f->f_avtype = slapi_ch_strdup( str ); + f->f_avvalue.bv_val = slapi_ch_strdup ( value ); + f->f_avvalue.bv_len = strlen ( f->f_avvalue.bv_val ); + } return( f ); }
This is the subset of the questionable code:
if ( f->f_choice == LDAP_FILTER_PRESENT ) { f->f_type = slapi_ch_strdup( str ); } else if ( unescape_filter ) { f->f_avtype = slapi_ch_strdup( str ); } if ( !unescape_filter ) { f->f_avtype = slapi_ch_strdup( str ); }
f->f_type and f_avtype are sharing the same memory via union. If ( f->f_choice == LDAP_FILTER_PRESENT ) AND if ( !unescape_filter ), the first strdup'ed str is leaked.
Currently, there is no place to call str2simple with unescape_filter == 0. Thus, we have no memory leak caused by this error.
Fix description: str2simple sets the strdup'ed type this way: if ( f->f_choice == LDAP_FILTER_PRESENT ) { f->f_type = slapi_ch_strdup( str ); } else if ( unescape_filter ) { f->f_avtype = slapi_ch_strdup( str ); } if ( !unescape_filter ) { f->f_avtype = slapi_ch_strdup( str ); } If f_choice is LDAP_FILTER_PRESENT and !unescape_filter is true, the first strdup'ed string is leaked since f_type and f_avtype share the same memory. But currently, str2simple is not called with (unescape_filter == 0). Thus there is no chance to satisfy the condition. This patch fixes the flaw.
git patch file (master) 0001-Ticket-603-A-logic-error-in-str2simple.patch
Reviewed by Rich (Thank you!!)
Pushed to master: commit 24e80bf
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.3.1
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/603
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.