From 88e569d8572aa91c8d3f685a59d286bfd2055cb6 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sat, 22 Aug 2020 12:38:10 +0100 Subject: [PATCH] ITS#9249 librewrite: fix malloc/free corruption If substitution parsing fails, would attempt to free a mapping that hadn't been allocated yet. Also, on failure, caller in saslauthz would attempt to free a rwinfo struct that hadn't been allocated. --- libraries/librewrite/subst.c | 28 +++++++++++----------------- servers/slapd/saslauthz.c | 2 +- 2 files changed, 12 insertions(+), 18 deletions(-) diff --git a/libraries/librewrite/subst.c b/libraries/librewrite/subst.c index c3e2da51e3..82fce358dd 100644 --- a/libraries/librewrite/subst.c +++ b/libraries/librewrite/subst.c @@ -32,7 +32,7 @@ rewrite_subst_compile( { size_t subs_len; struct berval *subs = NULL, *tmps; - struct rewrite_submatch *submatch = NULL; + struct rewrite_submatch *submatch = NULL, *tmpsm; struct rewrite_subst *s = NULL; @@ -71,7 +71,16 @@ rewrite_subst_compile( goto cleanup; } subs = tmps; - + subs[ nsub ].bv_val = NULL; + + tmpsm = ( struct rewrite_submatch * )realloc( submatch, + sizeof( struct rewrite_submatch )*( nsub + 1 ) ); + if ( tmpsm == NULL ) { + goto cleanup; + } + submatch = tmpsm; + submatch[ nsub ].ls_map = NULL; + /* * I think an `if l > 0' at runtime is better outside than * inside a function call ... @@ -95,19 +104,12 @@ rewrite_subst_compile( * Substitution pattern */ if ( isdigit( (unsigned char) p[ 1 ] ) ) { - struct rewrite_submatch *tmpsm; int d = p[ 1 ] - '0'; /* * Add a new value substitution scheme */ - tmpsm = ( struct rewrite_submatch * )realloc( submatch, - sizeof( struct rewrite_submatch )*( nsub + 1 ) ); - if ( tmpsm == NULL ) { - goto cleanup; - } - submatch = tmpsm; submatch[ nsub ].ls_submatch = d; /* @@ -140,7 +142,6 @@ rewrite_subst_compile( */ } else if ( p[ 1 ] == '{' ) { struct rewrite_map *map; - struct rewrite_submatch *tmpsm; map = rewrite_map_parse( info, p + 2, (const char **)&begin ); @@ -152,13 +153,6 @@ rewrite_subst_compile( /* * Add a new value substitution scheme */ - tmpsm = ( struct rewrite_submatch * )realloc( submatch, - sizeof( struct rewrite_submatch )*( nsub + 1 ) ); - if ( tmpsm == NULL ) { - rewrite_map_destroy( &map ); - goto cleanup; - } - submatch = tmpsm; submatch[ nsub ].ls_type = REWRITE_SUBMATCH_MAP_W_ARG; submatch[ nsub ].ls_map = map; diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index 0c9e3c794b..c64dde0c5a 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -1532,7 +1532,7 @@ int slap_sasl_regexp_config( const char *match, const char *replace, int valx ) slap_sasl_rewrite_destroy(); sasl_rwinfo = rw; - } else { + } else if ( rw ) { rewrite_info_delete( &rw ); } -- 2.47.3