[Issue 10450] memory leak in parseAssert

Mon, 09 Feb 2026 15:04:22 -0800 

https://bugs.openldap.org/show_bug.cgi?id=10450

--- Comment #5 from KY <[email protected]> ---
Thanks for the patch — the addition of filter_free_x in the AND/OR error
paths is correct and necessary to avoid leaking partially constructed filter
lists. However, there is one problem: get_filter_list does not initialize
its output parameter on entry. If parsing fails on the very first child
element (e.g. SLAPD_DISCONNECT from a malformed BER), the function returns
immediately without ever writing to *f, leaving f.f_and/f.f_or as
uninitialized stack garbage. The new filter_free_x call then tries to
iterate that garbage pointer, causing a SEGV:


AddressSanitizer:DEADLYSIGNAL
==39297==ERROR: AddressSanitizer: SEGV on unknown address 0x7b5b0000000f
 (pc 0x561861ca2bb8 bp 0x7fffd5dec070 sp 0x7fffd5dec020 T0)
==39297==The signal is caused by a READ memory access.
    #0 0x561861ca2bb8 in filter_free_x servers/slapd/filter.c:572
    #1 0x561861ca15ad in get_filter0 servers/slapd/filter.c
    #2 0x561861ca17fc in get_filter0 servers/slapd/filter.c:260
    #3 0x561861ca17fc in get_filter0 servers/slapd/filter.c:260
    #4 0x561861cabcc7 in get_filter_list servers/slapd/filter.c:352
    #5 0x561861ca1231 in get_filter0 servers/slapd/filter.c:245
    #6 0x561861cabcc7 in get_filter_list servers/slapd/filter.c:352
    #7 0x561861ca1231 in get_filter0 servers/slapd/filter.c:245
    #8 0x561861ca17fc in get_filter0 servers/slapd/filter.c:260
    #9 0x561861ca17fc in get_filter0 servers/slapd/filter.c:260
    #10 0x561861cabcc7 in get_filter_list servers/slapd/filter.c:352
    #11 0x561861ca1584 in get_filter0 servers/slapd/filter.c:231
    #12 0x561861ce6657 in do_search servers/slapd/search.c:126
    #13 0x561861c93e8d in connection_operation servers/slapd/connection.c:1137
    #14 0x561861c97757 in connection_read_thread
servers/slapd/connection.c:1289
Adding *f = NULL at the entry of get_filter_list fixes it, ensuring the
output is always safe to pass to filter_free_x on any early return:


diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
index 18970a4..bd94643 100644
--- a/servers/slapd/filter.c
+++ b/servers/slapd/filter.c
@@ -342,6 +344,7 @@ get_filter_list( Operation *op, BerElement *ber,
        char            *last;

        Debug( LDAP_DEBUG_FILTER, "begin get_filter_list\n" );
+       *f = NULL;
        new = f;
        for ( tag = ber_first_element( ber, &len, &last );
                tag != LBER_DEFAULT;

-- 
You are receiving this mail because:
You are on the CC list for the issue.

Reply via email to