首頁 探索 說明
註冊 登入
Apq
/
389-ds-base
镜像来自 https://github.com/389ds/389-ds-base.git
1
0
複刻 0
檔案 問題管理 0 Wiki
瀏覽代碼

Ticket 328 - make sure all internal search filters are properly escaped

Fix description:
Fixing double-free issues introduced with commit 3cf9a521fa43183c657a5dca507dec3a4379e383.
1) If ctx.buf is realloc'ed in filter_stuff_func, slapi_filter_sprintf
   returns already freed buf.  And the buf is freed by caller, again.
2) If filter escape occurs in get_substring_filter, freed val is
   returned to caller via "struct slapi_filter *f" and it is freed
   again.
Noriko Hosoi 13 年之前
父節點
60316fc548
當前提交
de8fd7d0e5
共有 2 個文件被更改,包括 3 次插入1 次删除
分割檢視 顯示文件統計
  1. 2 0
      ldap/servers/slapd/filter.c
  2. 1 1
      ldap/servers/slapd/util.c

+ 2 - 0
ldap/servers/slapd/filter.c
查看文件 

@@ -516,6 +516,7 @@ get_substring_filter(
 
 			if(eval){
 
 				slapi_ch_free_string(&val);
 
 				val = eval;
 
+				f->f_sub_initial = val;
 
 			}
 
 			*fstr = slapi_ch_realloc( *fstr, strlen( *fstr ) +
 
 			    strlen( val ) + 1 );
 
@@ -546,6 +547,7 @@ get_substring_filter(
 
 			if(eval){
 
 				slapi_ch_free_string(&val);
 
 				val = eval;
 
+				f->f_sub_final = val;
 
 			}
 
 			*fstr = slapi_ch_realloc( *fstr, strlen( *fstr ) +
 
 			    strlen( val ) + 2 );

+ 1 - 1
ldap/servers/slapd/util.c
查看文件 

@@ -431,7 +431,7 @@ slapi_filter_sprintf(const char *fmt, ...)
 
     }
 
     va_end(args);
 
 
-    return buf;
 
+    return ctx.buf;
 
 }
 
 
 /*