From owner-svn-src-all@freebsd.org Wed May 25 01:37:27 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C0D9B49586; Wed, 25 May 2016 01:37:27 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F33F11C34; Wed, 25 May 2016 01:37:26 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4P1bQ5I017459; Wed, 25 May 2016 01:37:26 GMT (envelope-from truckman@FreeBSD.org) Received: (from truckman@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4P1bQ86017456; Wed, 25 May 2016 01:37:26 GMT (envelope-from truckman@FreeBSD.org) Message-Id: <201605250137.u4P1bQ86017456@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: truckman set sender to truckman@FreeBSD.org using -f From: Don Lewis Date: Wed, 25 May 2016 01:37:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r300639 - head/usr.sbin/ypldap X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 01:37:27 -0000 Author: truckman Date: Wed May 25 01:37:25 2016 New Revision: 300639 URL: https://svnweb.freebsd.org/changeset/base/300639 Log: Fix Coverity CIDs 1340544 Resource leak and 1340543 Use after free At line 479 of ldapclient.c in client_build_req(), the error return leaks ldap_attrs (CID 1340544). It looks like this can happen if the first utoa() call in aldap_get_stringset() fails. It looks like other leaks can happen if other utoa() calls fail since scanning this array when it is freed stops when the first NULL is encountered. Fix these problems by not storing NULL in the array when utoa() fails, and by freeing ret and returning NULL if nothing is stored in the array. That way the caller will never see the ldap_attrs[0] == NULL case, so delete that check. The ber_printf_element() calls ber_free_elements() on its ber argument and returns NULL on failure. When each of its callers detects failure, they do a goto fail, which then calls ber_free_elements() with the same pointer (CID 1340543). Fix is to delete the ber_free_elements() from ber_printf_element() Reported by: Coverity CID: 1340543, 1340544 Reviewed by: araujo Differential Revision: https://reviews.freebsd.org/D6550 Modified: head/usr.sbin/ypldap/aldap.c head/usr.sbin/ypldap/ber.c head/usr.sbin/ypldap/ldapclient.c Modified: head/usr.sbin/ypldap/aldap.c ============================================================================== --- head/usr.sbin/ypldap/aldap.c Wed May 25 01:35:02 2016 (r300638) +++ head/usr.sbin/ypldap/aldap.c Wed May 25 01:37:25 2016 (r300639) @@ -716,12 +716,19 @@ aldap_get_stringset(struct ber_element * return NULL; for (a = elm, i = 0; a != NULL && a->be_type == BER_TYPE_OCTETSTRING; - a = a->be_next, i++) { + a = a->be_next) { ber_get_string(a, &s); ret[i] = utoa(s); + if (ret[i] != NULL) + i++; + } - ret[i + 1] = NULL; + if (i == 0) { + free(ret); + return NULL; + } + ret[i] = NULL; return ret; } Modified: head/usr.sbin/ypldap/ber.c ============================================================================== --- head/usr.sbin/ypldap/ber.c Wed May 25 01:35:02 2016 (r300638) +++ head/usr.sbin/ypldap/ber.c Wed May 25 01:37:25 2016 (r300639) @@ -621,7 +621,6 @@ ber_printf_elements(struct ber_element * return (ber); fail: - ber_free_elements(ber); return (NULL); } Modified: head/usr.sbin/ypldap/ldapclient.c ============================================================================== --- head/usr.sbin/ypldap/ldapclient.c Wed May 25 01:35:02 2016 (r300638) +++ head/usr.sbin/ypldap/ldapclient.c Wed May 25 01:37:25 2016 (r300639) @@ -475,8 +475,6 @@ client_build_req(struct idm *idm, struct } else { if (aldap_match_attr(m, idm->idm_attrs[i], &ldap_attrs) == -1) return (-1); - if (ldap_attrs[0] == NULL) - return (-1); if (strlcat(ir->ir_line, ldap_attrs[0], sizeof(ir->ir_line)) >= sizeof(ir->ir_line)) { aldap_free_attr(ldap_attrs);