summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoraschrijver <aschrijver@cvs.openbsd.org>2009-01-16 13:11:16 +0000
committeraschrijver <aschrijver@cvs.openbsd.org>2009-01-16 13:11:16 +0000
commit8d2d889f22e5c866a3ba507f5e8f41351f2805e4 (patch)
tree023bb6b2695338a1d92f21b3a774b6531cf14dcc
parent674b7d913884a50390f167f9881511397531349c (diff)
Fix double free with invalid ldap filter (reported by dlg@).
Fix more memory leaks.
-rw-r--r--usr.sbin/ypldap/aldap.c81
1 files changed, 58 insertions, 23 deletions
diff --git a/usr.sbin/ypldap/aldap.c b/usr.sbin/ypldap/aldap.c
index c8579f55466..dd0a1acb51d 100644
--- a/usr.sbin/ypldap/aldap.c
+++ b/usr.sbin/ypldap/aldap.c
@@ -1,5 +1,5 @@
-/* $Id: aldap.c,v 1.10 2009/01/04 00:11:05 aschrijver Exp $ */
-/* $OpenBSD: aldap.c,v 1.10 2009/01/04 00:11:05 aschrijver Exp $ */
+/* $Id: aldap.c,v 1.11 2009/01/16 13:11:15 aschrijver Exp $ */
+/* $OpenBSD: aldap.c,v 1.11 2009/01/16 13:11:15 aschrijver Exp $ */
/*
* Copyright (c) 2008 Alexander Schrijver <aschrijver@openbsd.org>
@@ -63,71 +63,105 @@ aldap_init(int fd)
int
aldap_bind(struct aldap *ldap, char *binddn, char *bindcred)
{
- struct ber_element *root;
+ struct ber_element *root = NULL, *elm;
int error;
- root = ber_add_sequence(NULL);
- ber_printf_elements(root, "d{tdsst", ++ldap->msgid, BER_CLASS_APP,
+ if((root = ber_add_sequence(NULL)) == NULL)
+ goto fail;
+
+ elm = ber_printf_elements(root, "d{tdsst", ++ldap->msgid, BER_CLASS_APP,
(unsigned long)LDAP_REQ_BIND, VERSION, binddn, bindcred,
BER_CLASS_CONTEXT, (unsigned long)LDAP_AUTH_SIMPLE);
+ if(elm == NULL)
+ goto fail;
LDAP_DEBUG("aldap_bind", root);
error = ber_write_elements(&ldap->ber, root);
ber_free_elements(root);
+ root = NULL;
if (error == -1)
- return (-1);
+ goto fail;
return (ldap->msgid);
+fail:
+ if(root != NULL)
+ ber_free_elements(root);
+ return (-1);
}
int
aldap_unbind(struct aldap *ldap)
{
- struct ber_element *root;
+ struct ber_element *root = NULL, *elm;
int error;
- root = ber_add_sequence(NULL);
- ber_printf_elements(root, "d{t", ++ldap->msgid, BER_CLASS_APP,
+ if((root = ber_add_sequence(NULL)) == NULL)
+ goto fail;
+ elm = ber_printf_elements(root, "d{t", ++ldap->msgid, BER_CLASS_APP,
LDAP_REQ_UNBIND_30);
+ if(elm == NULL)
+ goto fail;
LDAP_DEBUG("aldap_unbind", root);
error = ber_write_elements(&ldap->ber, root);
ber_free_elements(root);
+ root = NULL;
if (error == -1)
- return (-1);
+ goto fail;
return (ldap->msgid);
+fail:
+ if(root != NULL)
+ ber_free_elements(root);
+
+ return (-1);
}
int
aldap_search(struct aldap *ldap, char *basedn, enum scope scope, char *filter,
char **attrs, int typesonly, int sizelimit, int timelimit)
{
- struct ber_element *root, *ber;
+ struct ber_element *root = NULL, *ber;
int i, error;
- root = ber_add_sequence(NULL);
+ if((root = ber_add_sequence(NULL)) == NULL)
+ goto fail;
+
ber = ber_printf_elements(root, "d{tsEEddb", ++ldap->msgid, BER_CLASS_APP,
(unsigned long)LDAP_REQ_SEARCH, basedn, (long long)scope,
(long long)LDAP_DEREF_NEVER, sizelimit, timelimit, typesonly);
+ if(ber == NULL)
+ goto fail;
- ber = ldap_parse_search_filter(ber, filter);
- ber = ber_add_sequence(ber);
+ if((ber = ldap_parse_search_filter(ber, filter)) == NULL)
+ goto parsefail;
+ if((ber = ber_add_sequence(ber)) == NULL)
+ goto fail;
if(attrs != NULL)
- for(i = 0; i >= 0 && attrs[i] != NULL; i++)
- ber = ber_add_string(ber, attrs[i]);
+ for(i = 0; i >= 0 && attrs[i] != NULL; i++) {
+ if((ber = ber_add_string(ber, attrs[i])) == NULL)
+ goto fail;
+ }
LDAP_DEBUG("aldap_search", root);
error = ber_write_elements(&ldap->ber, root);
ber_free_elements(root);
+ root = NULL;
if (error == -1)
- return (-1);
+ goto fail;
return (ldap->msgid);
+
+parsefail: /* XXX -- error reporting */
+fail:
+ if(root != NULL)
+ ber_free_elements(root);
+
+ return (-1);
}
struct aldap_message *
@@ -580,7 +614,7 @@ ldap_parse_search_filter(struct ber_element *ber, char *filter)
static struct ber_element *
ldap_do_parse_search_filter(struct ber_element *prev, char **cpp)
{
- struct ber_element *elm, *root;
+ struct ber_element *elm, *root = NULL;
char *attr_desc, *attr_val, *parsed_val, *cp;
size_t len;
unsigned long type;
@@ -730,11 +764,10 @@ ldap_do_parse_search_filter(struct ber_element *prev, char **cpp)
break;
}
- if((parsed_val = parseval(attr_val, len)) ==
- NULL)
+ if((parsed_val = parseval(attr_val, len)) == NULL)
goto callfail;
- if ((elm = ber_add_nstring(elm, parsed_val, strlen(parsed_val)))
- == NULL)
+ if ((elm = ber_add_nstring(elm, parsed_val,
+ strlen(parsed_val))) == NULL)
goto callfail;
free(parsed_val);
break;
@@ -748,7 +781,9 @@ ldap_do_parse_search_filter(struct ber_element *prev, char **cpp)
syntaxfail: /* XXX -- error reporting */
callfail:
bad:
- ber_free_elements(root);
+ if(root != NULL)
+ ber_free_elements(root);
+ ber_link_elements(prev, NULL);
return (NULL);
}