fixing ldap memory leaks php#2

ptomulik · ptomulik · commit 42c0dd5a1a90 · 2020-07-13T22:05:10.000+02:00
diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
@@ -166,15 +166,17 @@ static void _php_ldap_control_to_array(LDAP *ld, LDAPControl* ctrl, zval* array,
 		}
 	} else if (strcmp(ctrl->ldctl_oid, LDAP_CONTROL_PAGEDRESULTS) == 0) {
 		int lestimated, rc;
-		struct berval lcookie;
+		struct berval lcookie = { 0, NULL };
 		zval value;
 
 		if (ctrl->ldctl_value.bv_len) {
-			rc = ldap_parse_pageresponse_control(ld, ctrl, &lestimated, &lcookie);
+			/* ldap_parse_pageresponse_control() allocates lcookie.bv_val */
+			rc = ldap_parse_pageresponse_control(ld, ctrl, &lestimated, &lcookie); /* memleak: ??? */
 		} else {
 			/* ldap_parse_pageresponse_control will crash if value is empty */
 			rc = -1;
 		}
+
 		if ( rc == LDAP_SUCCESS ) {
 			array_init(&value);
 			add_assoc_long(&value, "size", lestimated);
@@ -183,6 +185,10 @@ static void _php_ldap_control_to_array(LDAP *ld, LDAPControl* ctrl, zval* array,
 		} else {
 			add_assoc_null(array, "value");
 		}
+
+		if (lcookie.bv_val) {
+			ldap_memfree(lcookie.bv_val);
+		}
 	} else if ((strcmp(ctrl->ldctl_oid, LDAP_CONTROL_PRE_READ) == 0) || (strcmp(ctrl->ldctl_oid, LDAP_CONTROL_POST_READ) == 0)) {
 		BerElement *ber;
 		struct berval bv;
@@ -1630,7 +1636,7 @@ static void php_ldap_do_search(INTERNAL_FUNCTION_PARAMETERS, int scope)
 		php_set_opts(ld->link, ldap_sizelimit, ldap_timelimit, ldap_deref, &old_ldap_sizelimit, &old_ldap_timelimit, &old_ldap_deref);
 
 		/* Run the actual search */
-		errno = ldap_search_ext_s(ld->link, ZSTR_VAL(ldap_base_dn), scope, ZSTR_VAL(ldap_filter), ldap_attrs, ldap_attrsonly, lserverctrls, NULL, NULL, ldap_sizelimit, &ldap_res);
+		errno = ldap_search_ext_s(ld->link, ZSTR_VAL(ldap_base_dn), scope, ZSTR_VAL(ldap_filter), ldap_attrs, ldap_attrsonly, lserverctrls, NULL, NULL, ldap_sizelimit, &ldap_res); /* memleak: !!! */
 
 		if (errno != LDAP_SUCCESS
 			&& errno != LDAP_SIZELIMIT_EXCEEDED
@@ -4254,8 +4260,7 @@ PHP_FUNCTION(ldap_exop_passwd)
 {
 	zval *link, *serverctrls;
 	struct berval luser, loldpw, lnewpw, lgenpasswd;
-	LDAPControl **lserverctrls = NULL, **requestctrls = NULL;
-	LDAPControl *ctrl, **ctrlp;
+	LDAPControl *ctrl, **lserverctrls = NULL, *requestctrls[2] = { NULL, NULL };
 	LDAPMessage* ldap_res;
 	ldap_linkdata *ld;
 	int rc, myargcount = ZEND_NUM_ARGS(), msgid, err;
@@ -4275,16 +4280,10 @@ PHP_FUNCTION(ldap_exop_passwd)
 
 	switch (myargcount) {
 		case 5:
-			requestctrls = safe_emalloc(2, sizeof(*requestctrls), 0);
-			*requestctrls = NULL;
-			ctrlp = requestctrls;
-
-			if (ldap_create_passwordpolicy_control(ld->link, &ctrl) == LDAP_SUCCESS) {
-				*ctrlp = ctrl;
-				++ctrlp;
+			/* ldap_create_passwordpolicy_control() allocates ctrl */
+			if (ldap_create_passwordpolicy_control(ld->link, &ctrl) == LDAP_SUCCESS) { /* memleak: ??? */
+				requestctrls[0] = ctrl;
 			}
-
-			*ctrlp = NULL;
 	}
 
 	/* asynchronous call to get result and controls */
@@ -4294,8 +4293,8 @@ PHP_FUNCTION(ldap_exop_passwd)
 		requestctrls,
 		NULL, &msgid);
 
-	if (requestctrls != NULL) {
-		efree(requestctrls);
+	if (requestctrls[0] != NULL) {
+		ldap_control_free(requestctrls[0]);
 	}
 
 	if (rc != LDAP_SUCCESS ) {
@@ -4317,9 +4316,12 @@ PHP_FUNCTION(ldap_exop_passwd)
 		RETURN_FALSE;
 	}
 
-	rc = ldap_parse_result(ld->link, ldap_res, &err, NULL, &errmsg, NULL, (myargcount > 4 ? &lserverctrls : NULL), 1);
+	rc = ldap_parse_result(ld->link, ldap_res, &err, NULL, &errmsg, NULL, (myargcount > 4 ? &lserverctrls : NULL), 1); /* memleak: ??? */
 	if( rc != LDAP_SUCCESS ) {
 		php_error_docref(NULL, E_WARNING, "Passwd modify extended operation failed: %s (%d)", ldap_err2string(rc), rc);
+		if (lserverctrls) {
+			ldap_controls_free(lserverctrls);
+		}
 		RETURN_FALSE;
 	}
 
