Full_Name: Rein Tollevik Version: 2.3.34 OS: Solaris 8 URL: Submission from: (NULL) (81.93.160.250)

The fix for ITS#4780 seem to have introduced a memory corruption when ACL sets are used, it causes memory that is still in use to be freed after two sets are or'ed. Furthermore, the fix only frees the value in the first element of a multi-element set, i.e it still leaks memory when the values should be released.

Our servers started to seg. faulting shortly after we upgraded from version 2.3.19 to 2.3.34, but have stayed alive after the patched included below was applied.

Rein Tollevik Basefarm AS

Index: servers/slapd/sets.c =================================================================== RCS file: /f/CVSROOT/drift/OpenLDAP/servers/slapd/sets.c,v retrieving revision 1.1.1.10 retrieving revision 1.13 diff -u -u -w -r1.1.1.10 -r1.13 --- servers/slapd/sets.c 5 Jan 2007 09:02:42 -0000 1.1.1.10 +++ servers/slapd/sets.c 13 Mar 2007 11:35:18 -0000 1.13 @@ -181,6 +181,12 @@ } } BER_BVZERO( &set[ last ] ); + + /* We have already copied, duplicated or freed + * the values in lset and rset, so don't free + * them again! + */ + op_flags |= SLAP_SET_LREFVAL|SLAP_SET_RREFVAL; } break;

@@ -264,21 +270,14 @@ }

done:; - if ( !( op_flags & SLAP_SET_LREFARR ) && lset != NULL ) { - if ( !( op_flags & SLAP_SET_LREFVAL )) - cp->set_op->o_tmpfree( lset->bv_val, cp->set_op->o_tmpmemctx ); - cp->set_op->o_tmpfree( lset, cp->set_op->o_tmpmemctx ); - } - - if ( !( op_flags & SLAP_SET_RREFARR ) && rset != NULL ) { - if ( !( op_flags & SLAP_SET_RREFVAL )) - cp->set_op->o_tmpfree( rset->bv_val, cp->set_op->o_tmpmemctx ); - cp->set_op->o_tmpfree( rset, cp->set_op->o_tmpmemctx ); - } + if ( lset != NULL ) + slap_set_dispose( cp, lset, SLAP_SET_LREF2REF( op_flags )); + if ( rset != NULL ) + slap_set_dispose( cp, rset, SLAP_SET_RREF2REF( op_flags ));

return set; }

static BerVarray set_chase( SLAP_SET_GATHER gatherer,