blob: 5ca2a60c6094a54baa053bc70ac25434be7da22a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
Fix CVE-2017-9287:
https://www.openldap.org/its/?findid=8655
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9287
Patch copied from upstream source repository:
https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e
From 0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Wed, 17 May 2017 20:07:39 -0700
Subject: [PATCH] ITS#8655 fix double free on paged search with pagesize 0
Fixes a double free when a search includes the Paged Results control
with a page size of 0 and the search base matches the filter.
---
servers/slapd/back-mdb/search.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c
index 301d1a498c..43442aa242 100644
--- a/servers/slapd/back-mdb/search.c
+++ b/servers/slapd/back-mdb/search.c
@@ -1066,7 +1066,8 @@ notfound:
/* check size limit */
if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {
if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) {
- mdb_entry_return( op, e );
+ if (e != base)
+ mdb_entry_return( op, e );
e = NULL;
send_paged_response( op, rs, &lastid, tentries );
goto done;
--
2.13.0
|