ITS#10249 slapo-nestgroup: plug leak in nestgroup_memberFilter

servers/slapd/overlays/nestgroup.c

@@ -447,11 +447,11 @@ nestgroup_memberFilter( Operation *op, int mbr_nf, nestgroup_filterinst_t *mbr_f
 				t = ldap_tavl_next( t, TAVL_DIR_LEFT );
 				op->o_tmpfree( dp, op->o_tmpmemctx );
 			} while ( t );
-			ldap_tavl_free( gi->gi_DNs, NULL );
 			f->f_choice = LDAP_FILTER_EQUALITY;
 			f->f_ava = mbr_f[i].nf_f->f_ava;
 			mbr_f[i].nf_new = f;
 		}
+		ldap_tavl_free( gi->gi_DNs, NULL );
 	}
 	o.o_bd->bd_info = (BackendInfo *)on->on_info;
 	op->o_tmpfree( sc, op->o_tmpmemctx );

tests/data/nestgroup.out.1

@@ -156,6 +156,16 @@ objectClass: inetOrgPerson
 cn: Roger Rabbit
 sn: Rabbit
 
+dn: cn=Strays,ou=Groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Strays
+member: cn=Tom Riddle,ou=People,dc=example,dc=com
+
+dn: cn=Tom Riddle,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+cn: Tom Riddle
+sn: Riddle
+
 dn: cn=Tweety Bird,ou=People,dc=example,dc=com
 objectClass: inetOrgPerson
 cn: Tweety Bird
@@ -197,6 +207,12 @@ member: cn=Elmer Fudd,ou=People,dc=example,dc=com
 member: cn=Bugs Bunny,ou=People,dc=example,dc=com
 member: cn=Tweety Bird,ou=People,dc=example,dc=com
 
+# Search for non-nested member=cn=Tom Riddle...
+dn: cn=Strays,ou=Groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Strays
+member: cn=Tom Riddle,ou=People,dc=example,dc=com
+
 # Re-search for nested member=cn=Bugs Bunny...
 dn: cn=A-M,ou=Groups,dc=example,dc=com
 objectClass: groupOfNames
@@ -244,6 +260,12 @@ member: cn=Mixer2,ou=Groups,dc=example,dc=com
 member: cn=Mixer3,ou=Groups,dc=example,dc=com
 member: cn=A-M,ou=Groups,dc=example,dc=com
 
+# Re-search for non-nested member=cn=Tom Riddle...
+dn: cn=Strays,ou=Groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Strays
+member: cn=Tom Riddle,ou=People,dc=example,dc=com
+
 # Search the expanded groups...
 dn: cn=A-M,ou=Groups,dc=example,dc=com
 objectClass: groupOfNames
@@ -387,3 +409,8 @@ cn: Rabbits
 member: cn=Roger Rabbit,ou=People,dc=example,dc=com
 member: cn=Jessica Rabbit,ou=People,dc=example,dc=com
 
+dn: cn=Strays,ou=Groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Strays
+member: cn=Tom Riddle,ou=People,dc=example,dc=com
+

tests/data/nestgroup.out.2

@@ -231,6 +231,17 @@ sn: Rabbit
 memberOf: cn=Rabbits,ou=Groups,dc=example,dc=com
 memberOf: cn=N-Z,ou=Groups,dc=example,dc=com
 
+dn: cn=Strays,ou=Groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Strays
+member: cn=Tom Riddle,ou=People,dc=example,dc=com
+
+dn: cn=Tom Riddle,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+cn: Tom Riddle
+sn: Riddle
+memberOf: cn=Strays,ou=Groups,dc=example,dc=com
+
 dn: cn=Tweety Bird,ou=People,dc=example,dc=com
 objectClass: inetOrgPerson
 cn: Tweety Bird
@@ -574,6 +585,17 @@ memberOf: cn=Mixer1,ou=Groups,dc=example,dc=com
 memberOf: cn=Mixer4,ou=Groups,dc=example,dc=com
 memberOf: cn=Leporidae,ou=Groups,dc=example,dc=com
 
+dn: cn=Strays,ou=Groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Strays
+member: cn=Tom Riddle,ou=People,dc=example,dc=com
+
+dn: cn=Tom Riddle,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+cn: Tom Riddle
+sn: Riddle
+memberOf: cn=Strays,ou=Groups,dc=example,dc=com
+
 dn: cn=Tweety Bird,ou=People,dc=example,dc=com
 objectClass: inetOrgPerson
 cn: Tweety Bird

tests/scripts/test089-nestgroup

@@ -195,6 +195,11 @@ objectClass: inetOrgPerson
 cn: Porky Pig
 sn: Pig
 
+dn: cn=Tom Riddle,ou=People,$BASEDN
+objectClass: inetOrgPerson
+cn: Tom Riddle
+sn: Riddle
+
 dn: cn=Rabbits,ou=Groups,$BASEDN
 objectClass: groupOfNames
 cn: Rabbits
@@ -293,6 +298,11 @@ cn: Loop, Endless
 member: cn=Wile E. Coyote,ou=People,$BASEDN
 member: cn=Endless Loop,ou=Groups,$BASEDN
 
+dn: cn=Strays,ou=Groups,$BASEDN
+objectClass: groupOfNames
+cn: Strays
+member: cn=Tom Riddle,ou=People,$BASEDN
+
 EOF
 RC=$?
 if test $RC != 0 ; then
@@ -323,6 +333,17 @@ if test $RC != 0 ; then
 	exit $RC
 fi
 
+echo "Search for non-nested member=cn=Tom Riddle..."
+echo "# Search for non-nested member=cn=Tom Riddle..." >> $SEARCHOUT
+$LDAPSEARCH -S "" -b "$BASEDN" -H $URI1 \
+	"(member=cn=Tom Riddle,ou=People,$BASEDN)" '*' memberof >> $SEARCHOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
 echo "Running ldapmodify to enable nested member filter..."
 $LDAPMODIFY -H $URI1 -D 'cn=config' -w `cat $CONFIGPWF` \
 	>> $TESTOUT 2>&1 <<EOF
@@ -350,6 +371,17 @@ if test $RC != 0 ; then
 	exit $RC
 fi
 
+echo "Re-search for non-nested member=cn=Tom Riddle..."
+echo "# Re-search for non-nested member=cn=Tom Riddle..." >> $SEARCHOUT
+$LDAPSEARCH -S "" -b "$BASEDN" -H $URI1 \
+	"(member=cn=Tom Riddle,ou=People,$BASEDN)" '*' memberof >> $SEARCHOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
 echo "Running ldapmodify to enable nested member values..."
 $LDAPMODIFY -H $URI1 -D 'cn=config' -w `cat $CONFIGPWF` \
 	>> $TESTOUT 2>&1 <<EOF
@@ -541,6 +573,11 @@ replace: member
 member: cn=Wile E. Coyote,ou=People,$BASEDN
 member: cn=Endless Loop,ou=Groups,$BASEDN
 
+dn: cn=Strays,ou=Groups,$BASEDN
+changetype: modify
+replace: member
+member: cn=Tom Riddle,ou=People,$BASEDN
+
 EOF
 RC=$?
 if test $RC != 0 ; then