Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 25 May 2016 01:37:26 +0000 (UTC)
From:      Don Lewis <truckman@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r300639 - head/usr.sbin/ypldap
Message-ID:  <201605250137.u4P1bQ86017456@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: truckman
Date: Wed May 25 01:37:25 2016
New Revision: 300639
URL: https://svnweb.freebsd.org/changeset/base/300639

Log:
  Fix Coverity CIDs 1340544 Resource leak and 1340543 Use after free
  
  At line 479 of ldapclient.c in client_build_req(), the error return
  leaks ldap_attrs (CID 1340544).  It looks like this can happen if
  the first utoa() call in aldap_get_stringset() fails.  It looks
  like other leaks can happen if other utoa() calls fail since scanning
  this array when it is freed stops when the first NULL is encountered.
  Fix these problems by not storing NULL in the array when utoa()
  fails, and by freeing ret and returning NULL if nothing is stored
  in the array.  That way the caller will never see the
  ldap_attrs[0] == NULL case, so delete that check.
  
  The ber_printf_element() calls ber_free_elements() on its ber
  argument and returns NULL on failure.  When each of its callers
  detects failure, they do a goto fail, which then calls ber_free_elements()
  with the same pointer (CID 1340543).  Fix is to delete the
  ber_free_elements() from ber_printf_element()
  
  Reported by:	Coverity
  CID:		1340543, 1340544
  Reviewed by:	araujo
  Differential Revision:	https://reviews.freebsd.org/D6550

Modified:
  head/usr.sbin/ypldap/aldap.c
  head/usr.sbin/ypldap/ber.c
  head/usr.sbin/ypldap/ldapclient.c

Modified: head/usr.sbin/ypldap/aldap.c
==============================================================================
--- head/usr.sbin/ypldap/aldap.c	Wed May 25 01:35:02 2016	(r300638)
+++ head/usr.sbin/ypldap/aldap.c	Wed May 25 01:37:25 2016	(r300639)
@@ -716,12 +716,19 @@ aldap_get_stringset(struct ber_element *
 		return NULL;
 
 	for (a = elm, i = 0; a != NULL && a->be_type == BER_TYPE_OCTETSTRING;
-	    a = a->be_next, i++) {
+	    a = a->be_next) {
 
 		ber_get_string(a, &s);
 		ret[i] = utoa(s);
+		if (ret[i] != NULL)
+			i++;
+		
 	}
-	ret[i + 1] = NULL;
+	if (i == 0) {
+		free(ret);
+		return NULL;
+	}
+	ret[i] = NULL;
 
 	return ret;
 }

Modified: head/usr.sbin/ypldap/ber.c
==============================================================================
--- head/usr.sbin/ypldap/ber.c	Wed May 25 01:35:02 2016	(r300638)
+++ head/usr.sbin/ypldap/ber.c	Wed May 25 01:37:25 2016	(r300639)
@@ -621,7 +621,6 @@ ber_printf_elements(struct ber_element *
 
 	return (ber);
  fail:
-	ber_free_elements(ber);
 	return (NULL);
 }
 

Modified: head/usr.sbin/ypldap/ldapclient.c
==============================================================================
--- head/usr.sbin/ypldap/ldapclient.c	Wed May 25 01:35:02 2016	(r300638)
+++ head/usr.sbin/ypldap/ldapclient.c	Wed May 25 01:37:25 2016	(r300639)
@@ -475,8 +475,6 @@ client_build_req(struct idm *idm, struct
 		} else {
 			if (aldap_match_attr(m, idm->idm_attrs[i], &ldap_attrs) == -1)
 				return (-1);
-			if (ldap_attrs[0] == NULL)
-				return (-1);
 			if (strlcat(ir->ir_line, ldap_attrs[0],
 			    sizeof(ir->ir_line)) >= sizeof(ir->ir_line)) {
 				aldap_free_attr(ldap_attrs);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605250137.u4P1bQ86017456>