From 20fb50fcd5f394ad889546a302607f84d7464371 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Fri, 30 Oct 2009 19:21:37 +0000
Subject: [PATCH] ITS#6337

---
 CHANGES                       |  1 +
 servers/slapd/back-relay/op.c | 31 ++++++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index af333bb407..a3da8e38a8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,7 @@ OpenLDAP 2.4.20 Engineering
 	Fixed libldap uninitialized return value (ITS#6355)
 	Fixed slapd debug handling of LDAP_DEBUG_ANY (ITS#6324)
 	Fixed slapd-ldap leak (ITS#6326)
+	Fixed slapd-relay bind segfault (ITS#6337)
 	Fixed slapo-memberof operational attr updates (ITS#6329)
 	Fixed slapo-syncprov deadlock (ITS#6335)
 	Documentation
diff --git a/servers/slapd/back-relay/op.c b/servers/slapd/back-relay/op.c
index 31ec8a897c..1c7ba71baa 100644
--- a/servers/slapd/back-relay/op.c
+++ b/servers/slapd/back-relay/op.c
@@ -93,6 +93,27 @@ relay_back_response_cb( Operation *op, SlapReply *rs )
 	return SLAP_CB_CONTINUE;
 }
 
+/* quick hack for ITS#6337: use malloc'ed callback for bind */
+int
+relay_back_cleanup2_cb( Operation *op, SlapReply *rs )
+{
+	op->o_bd = ((relay_callback *) op->o_callback)->rcb_bd;
+	op->o_tmpfree( op->o_callback, op->o_tmpmemctx );
+	op->o_callback = NULL;
+	return SLAP_CB_CONTINUE;
+}
+
+int
+relay_back_response2_cb( Operation *op, SlapReply *rs )
+{
+	relay_callback	*rcb = (relay_callback *) op->o_callback;
+
+	rcb->rcb_sc.sc_cleanup = relay_back_cleanup2_cb;
+	rcb->rcb_bd = op->o_bd;
+	op->o_bd = op->o_callback->sc_private;
+	return SLAP_CB_CONTINUE;
+}
+
 #define relay_back_add_cb( rcb, op, bd )			\
 	{							\
 		(rcb)->rcb_sc.sc_next = (op)->o_callback;	\
@@ -199,7 +220,15 @@ relay_back_op( Operation *op, SlapReply *rs, int which )
 	} else if ( (func = (&bd->be_bind)[which]) != 0 ) {
 		relay_callback	rcb;
 
-		relay_back_add_cb( &rcb, op, bd );
+		if ( which == op_bind ) {
+			/* quick hack for ITS#6337: use malloc'ed callback for bind */
+			relay_callback *rcbp = op->o_tmpcalloc( sizeof( relay_callback ), 1, op->o_tmpmemctx );
+			relay_back_add_cb( rcbp, op, bd );
+			rcbp->rcb_sc.sc_response = relay_back_response2_cb;
+
+		} else {
+			relay_back_add_cb( &rcb, op, bd );
+		}
 
 		RELAY_WRAP_OP( op, bd, which, {
 			rc = func( op, rs );
-- 
GitLab