Commit 88e569d8 authored by Howard Chu's avatar Howard Chu Committed by Quanah Gibson-Mount
Browse files

ITS#9249 librewrite: fix malloc/free corruption

If substitution parsing fails, would attempt to free a mapping
that hadn't been allocated yet.

Also, on failure, caller in saslauthz would attempt to free a
rwinfo struct that hadn't been allocated.
parent 8a521c17
...@@ -32,7 +32,7 @@ rewrite_subst_compile( ...@@ -32,7 +32,7 @@ rewrite_subst_compile(
{ {
size_t subs_len; size_t subs_len;
struct berval *subs = NULL, *tmps; struct berval *subs = NULL, *tmps;
struct rewrite_submatch *submatch = NULL; struct rewrite_submatch *submatch = NULL, *tmpsm;
struct rewrite_subst *s = NULL; struct rewrite_subst *s = NULL;
...@@ -71,7 +71,16 @@ rewrite_subst_compile( ...@@ -71,7 +71,16 @@ rewrite_subst_compile(
goto cleanup; goto cleanup;
} }
subs = tmps; subs = tmps;
subs[ nsub ].bv_val = NULL;
tmpsm = ( struct rewrite_submatch * )realloc( submatch,
sizeof( struct rewrite_submatch )*( nsub + 1 ) );
if ( tmpsm == NULL ) {
goto cleanup;
}
submatch = tmpsm;
submatch[ nsub ].ls_map = NULL;
/* /*
* I think an `if l > 0' at runtime is better outside than * I think an `if l > 0' at runtime is better outside than
* inside a function call ... * inside a function call ...
...@@ -95,19 +104,12 @@ rewrite_subst_compile( ...@@ -95,19 +104,12 @@ rewrite_subst_compile(
* Substitution pattern * Substitution pattern
*/ */
if ( isdigit( (unsigned char) p[ 1 ] ) ) { if ( isdigit( (unsigned char) p[ 1 ] ) ) {
struct rewrite_submatch *tmpsm;
int d = p[ 1 ] - '0'; int d = p[ 1 ] - '0';
/* /*
* Add a new value substitution scheme * Add a new value substitution scheme
*/ */
tmpsm = ( struct rewrite_submatch * )realloc( submatch,
sizeof( struct rewrite_submatch )*( nsub + 1 ) );
if ( tmpsm == NULL ) {
goto cleanup;
}
submatch = tmpsm;
submatch[ nsub ].ls_submatch = d; submatch[ nsub ].ls_submatch = d;
/* /*
...@@ -140,7 +142,6 @@ rewrite_subst_compile( ...@@ -140,7 +142,6 @@ rewrite_subst_compile(
*/ */
} else if ( p[ 1 ] == '{' ) { } else if ( p[ 1 ] == '{' ) {
struct rewrite_map *map; struct rewrite_map *map;
struct rewrite_submatch *tmpsm;
map = rewrite_map_parse( info, p + 2, map = rewrite_map_parse( info, p + 2,
(const char **)&begin ); (const char **)&begin );
...@@ -152,13 +153,6 @@ rewrite_subst_compile( ...@@ -152,13 +153,6 @@ rewrite_subst_compile(
/* /*
* Add a new value substitution scheme * Add a new value substitution scheme
*/ */
tmpsm = ( struct rewrite_submatch * )realloc( submatch,
sizeof( struct rewrite_submatch )*( nsub + 1 ) );
if ( tmpsm == NULL ) {
rewrite_map_destroy( &map );
goto cleanup;
}
submatch = tmpsm;
submatch[ nsub ].ls_type = submatch[ nsub ].ls_type =
REWRITE_SUBMATCH_MAP_W_ARG; REWRITE_SUBMATCH_MAP_W_ARG;
submatch[ nsub ].ls_map = map; submatch[ nsub ].ls_map = map;
......
...@@ -1532,7 +1532,7 @@ int slap_sasl_regexp_config( const char *match, const char *replace, int valx ) ...@@ -1532,7 +1532,7 @@ int slap_sasl_regexp_config( const char *match, const char *replace, int valx )
slap_sasl_rewrite_destroy(); slap_sasl_rewrite_destroy();
sasl_rwinfo = rw; sasl_rwinfo = rw;
} else { } else if ( rw ) {
rewrite_info_delete( &rw ); rewrite_info_delete( &rw );
} }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment