Full_Name: Gerry Calderhead Version: OpenLDAP 2.4.25 OS: Linux RHEL5.5 URL: http://uploading.com/files/ad3ecc7f/0001-Autogroup-double-free-of-LDAPURLDes... Submission from: (NULL) (80.238.1.135)

We found this issue when we swapped from dynlist to autogroup. Dynlist happily supports pulling over multiple attributes (memberuid and member in our case).

When we removed dynlist and added autogroup instead we got an immediate crash because a double-free was picked up by our C library. The code at fault is in autogroup_add_group in the case for was: "to much attributes" now: "too many (%d) attributes" where the lud was free'd then "goto cleanup" was called thus attempting to free it agan.

Fix ---

The bare-minimum change requried to stop the crash in this case is:

File:autogroup.c Function: autogroup_add_group

if ( i > 1 ) { Debug( LDAP_DEBUG_ANY, "autogroup_add_group: to much attributes specified in url <%s>\n", bv->bv_val, 0, 0); /* FIXME: error? */ ldap_free_urldesc( lud ); ch_free( agf ); + continue; }

I've taken the opportunity to sense-check the other error cases here and hence made the error reporting slightly more useful and eliminated the goto. The git-format-patch, containing the fix above and the clean-up I mentioned is available here:

http://uploading.com/files/ad3ecc7f/0001-Autogroup-double-free-of-LDAPURLDes...

sha1sum 313f55d01f37a48c5c29ea5232e6343039e6e956 0001-Autogroup-double-free-of-LDAPURLDesc-lud-in-autogrou.patch

Public Domain Notice --------------------

I, Gerry Calderhead, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.