Blob Blame History Raw
From 4c82238f0c4273dbf7cf945eebc2ede66f47f680 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu, 16 Jul 2015 10:34:47 -0700
Subject: [PATCH 86/86] Ticket #48226 - In MMR, double free coould occur under
 some special condition

Bug description:
  In a replicated topology, a authenticated user that have write access
  on an entry can send a series of operations that crash the server.
  The crash is due to an access to a already freed buffer.
Fix description:
  To avoid the double free, duplicate a CSNSet and assign it to the
  Slapi_Value.

https://fedorahosted.org/389/ticket/48226

Reviewed by rmeggins@redhat.com (Thank you, Rich!!)

(cherry picked from commit a0f8e0f981a046882db299a7a6d6d1c01bc19571)
(cherry picked from commit bdbc81e62eb8d7b8dfb298c7ba983cf86353fe66)
(cherry picked from commit 413414c98313a076111d8e40a7a10fa369433e6e)
---
 ldap/servers/slapd/valueset.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
index 9d77b0c..fb7a99b 100644
--- a/ldap/servers/slapd/valueset.c
+++ b/ldap/servers/slapd/valueset.c
@@ -1444,8 +1444,9 @@ valueset_update_csn_for_valuearray_ext(Slapi_ValueSet *vs, const Slapi_Attr *a,
 			if(v)
 			{
 				value_update_csn(v,t,csn);
-				if (csnref_updated)
-					valuestoupdate[i]->v_csnset = (CSNSet *)value_get_csnset(v);
+				if (csnref_updated) {
+					valuestoupdate[i]->v_csnset = csnset_dup(value_get_csnset(v));
+				}
 				valuearrayfast_add_value_passin(&vaf_valuesupdated,valuestoupdate[i]);
 				valuestoupdate[i]= NULL;
 				del_count++;
-- 
1.9.3