mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-03-07 14:18:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

ITS#8592 Fix double free in sssvlv overlay

Browse Source
This commit is contained in:
Kevin Lam 2017-02-21 12:20:38 +08:00 committed by Quanah Gibson-Mount
parent 3eeb562489
commit 11bf6bc10a
1 changed files with 63 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
servers/slapd/overlays/sssvlv.c
View File

@ -116,6 +116,7 @@ typedef struct sort_op
int so_vlv_target;
int so_session;
unsigned long so_vcontext;
int so_running;
} sort_op;
/* There is only one conn table for all overlay instances */
@ -396,30 +397,35 @@ static int find_next_session(
static void free_sort_op( Connection *conn, sort_op *so )
{
int sess_id;
if ( so->so_tree ) {
if ( so->so_paged > SLAP_CONTROL_IGNORED ) {
TAvlnode *cur_node, *next_node;
cur_node = so->so_tree;
while ( cur_node ) {
next_node = tavl_next( cur_node, TAVL_DIR_RIGHT );
ch_free( cur_node->avl_data );
ber_memfree( cur_node );
cur_node = next_node;
}
} else {
tavl_free( so->so_tree, ch_free );
}
so->so_tree = NULL;
}
ldap_pvt_thread_mutex_lock( &sort_conns_mutex );
sess_id = find_session_by_so( so->so_info->svi_max_percon, conn->c_conn_idx, so );
sort_conns[conn->c_conn_idx][sess_id] = NULL;
so->so_info->svi_num--;
if ( sess_id > -1 ) {
sort_conns[conn->c_conn_idx][sess_id] = NULL;
so->so_info->svi_num--;
}
ldap_pvt_thread_mutex_unlock( &sort_conns_mutex );
if ( sess_id > -1 ){
if ( so->so_tree ) {
if ( so->so_paged > SLAP_CONTROL_IGNORED ) {
TAvlnode *cur_node, *next_node;
cur_node = so->so_tree;
while ( cur_node ) {
next_node = tavl_next( cur_node, TAVL_DIR_RIGHT );
ch_free( cur_node->avl_data );
ber_memfree( cur_node );
ch_free( so );
cur_node = next_node;
}
} else {
tavl_free( so->so_tree, ch_free );
}
so->so_tree = NULL;
}
ch_free( so );
}
}
static void free_sort_ops( Connection *conn, sort_op **sos, int svi_max_percon )
@ -704,6 +710,8 @@ static void send_result(
if ( so->so_tree == NULL ) {
/* Search finished, so clean up */
free_sort_op( op->o_conn, so );
} else {
so->so_running = 0;
}
}
@ -859,26 +867,40 @@ static int sssvlv_op_search(
sess_id = find_session_by_context( si->svi_max_percon, op->o_conn->c_conn_idx, vc ? vc->vc_context : NO_VC_CONTEXT, ps ? ps->ps_cookie : NO_PS_COOKIE );
if ( sess_id >= 0 ) {
so = sort_conns[op->o_conn->c_conn_idx][sess_id];
/* Is it a continuation of a VLV search? */
if ( !vc || so->so_vlv <= SLAP_CONTROL_IGNORED ||
vc->vc_context != so->so_vcontext ) {
/* Is it a continuation of a paged search? */
if ( !ps || so->so_paged <= SLAP_CONTROL_IGNORED ||
op->o_conn->c_pagedresults_state.ps_cookie != ps->ps_cookie ) {
ok = 0;
} else if ( !ps->ps_size ) {
/* Abandoning current request */
ok = 0;
so->so_nentries = 0;
rs->sr_err = LDAP_SUCCESS;
}
}
if (( vc && so->so_paged > SLAP_CONTROL_IGNORED ) ||
( ps && so->so_vlv > SLAP_CONTROL_IGNORED )) {
/* changed from paged to vlv or vice versa, abandon */
ok = 0;
so->so_nentries = 0;
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
if( so->so_running > 0 ){
/* another thread is handling, response busy to client */
so = NULL;
ok = 0;
} else {
/* Is it a continuation of a VLV search? */
if ( !vc || so->so_vlv <= SLAP_CONTROL_IGNORED ||
vc->vc_context != so->so_vcontext ) {
/* Is it a continuation of a paged search? */
if ( !ps || so->so_paged <= SLAP_CONTROL_IGNORED ||
op->o_conn->c_pagedresults_state.ps_cookie != ps->ps_cookie ) {
ok = 0;
} else if ( !ps->ps_size ) {
/* Abandoning current request */
ok = 0;
so->so_nentries = 0;
rs->sr_err = LDAP_SUCCESS;
}
}
if (( vc && so->so_paged > SLAP_CONTROL_IGNORED ) ||
( ps && so->so_vlv > SLAP_CONTROL_IGNORED )) {
/* changed from paged to vlv or vice versa, abandon */
ok = 0;
so->so_nentries = 0;
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
}
if ( ok ) {
/* occupy before mutex unlock */
so->so_running = 1;
}
}
/* Are there too many running overall? */
} else if ( si->svi_num >= si->svi_max ) {
@ -947,6 +969,7 @@ static int sssvlv_op_search(
so->so_vlv = op->o_ctrlflag[vlv_cid];
so->so_vcontext = (unsigned long)so;
so->so_nentries = 0;
so->so_running = 1;
op->o_callback = cb;
}