1
0
forked from jengelh/openldap2
openldap2/0017-Fix-segfault-in-nops.patch
Peter Varkoly e604505058 - Fix CVE-2017-17740: when both the nops module and the memberof
overlay are enabled, attempts to free a buffer that was allocated
  on the stack
  * patch: 0017-Fix-segfault-in-nops.patch
  (bsc#1073313)

OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=233
2018-11-21 15:17:38 +00:00

36 lines
1.2 KiB
Diff

diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
index 54c24682a..06945d811 100644
--- a/servers/slapd/overlays/memberof.c
+++ b/servers/slapd/overlays/memberof.c
@@ -360,10 +360,16 @@ memberof_value_modify(
unsigned long opid = op->o_opid;
SlapReply rs2 = { REP_RESULT };
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
- Modifications mod[ 2 ] = { { { 0 } } }, *ml;
- struct berval values[ 4 ], nvalues[ 4 ];
+ Modifications *mod, *ml;
+ struct berval *values, *nvalues;
int mcnt = 0;
+ mod = (Modifications*)malloc(2 * sizeof(Modifications));
+ memset(mod, 0, 2 * sizeof(Modifications));
+
+ values = (struct berval*)malloc(4 * sizeof(struct berval));
+ nvalues = (struct berval*)malloc(4 * sizeof(struct berval));
+
op2.o_tag = LDAP_REQ_MODIFY;
op2.o_req_dn = *ndn;
@@ -493,6 +499,11 @@ memberof_value_modify(
/* restore original opid */
op->o_opid = opid;
+
+ slap_mods_free( mod, 0 );
+ free(values);
+ free(nvalues);
+
/* FIXME: if old_group_ndn doesn't exist, both delete __and__
* add will fail; better split in two operations, although
* not optimal in terms of performance. At least it would