[PATCH] Bugs LDAPSAM : 2 fixes

Aurélien Degrémont adegremont at idealx.com
Fri Oct 31 11:12:43 GMT 2003

Jeremy Allison wrote:

>On Thu, Oct 30, 2003 at 05:57:31PM +0100, Aur?lien Degr?mont wrote:
>>I recently posted a message concerning a bug with ldapsam.
>>On September somebody posted the same bug concerning rpc vampire (on 
>>samba mailing-list) and explained that with rc1 it was ok.
>>It affects only the group mapping update with LDAPSAM.
>>It was a bug which appeared between the RC3 and RC4 on pdb_ldap.c. Here 
>>is a patch which correct it.
>Thanks, this fix is already in CVS and will be in Samba 3.0.1.
Thanks, it's great.
But it seems you only applied one change ?

Inside ldapsam_update_group_mapping_entry():
The ldap_mods_free() call must really be moved after the 
smbldap_get_dn() call, otherwise the ldapsam_update_group_mapping will 
crash and keep crashing.
In fact, 'result' is a chained-list and 'entry' refers to the first 
element of this list. They point on the same address, so, when 'result' 
is freed, 'entry' is freed too, and as a result, the smbldap_get_dn() 
call crashes as it uses a memory-free 'entry'. Ask me if it's not clear 
:). But understand that the patch must be applied completely :). 



-------------- next part --------------
diff -ruN samba-3.0.1pre1-orig/source/passdb/pdb_ldap.c samba-3.0.1pre1/source/passdb/pdb_ldap.c
--- samba-3.0.1pre1-orig/source/passdb/pdb_ldap.c	Fri Oct 10 20:08:36 2003
+++ samba-3.0.1pre1/source/passdb/pdb_ldap.c	Thu Oct 30 08:50:14 2003
@@ -1983,11 +1983,10 @@
-	ldap_msgfree(result);
 	if (mods == NULL) {
 		DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: nothing to do\n"));
+		ldap_msgfree(result);
+		return NT_STATUS_OK;
 	dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
@@ -1998,6 +1997,7 @@
 	ldap_mods_free(mods, True);
+	ldap_msgfree(result);
 	if (rc != LDAP_SUCCESS) {
 		char *ld_error = NULL;

More information about the samba-technical mailing list