From e98acc1bfe2194fcdd0e420777eb65a20d55a64b Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Mon, 7 Jul 2025 22:01:09 +0200
Subject: [PATCH] Issue 6848 - AddressSanitizer: leak in do_search

Bug Description:
When there's a BER decoding error and the function goes to
`free_and_return`, the `attrs` variable is not being freed because it's
only freed if `!psearch || rc != 0 || err != 0`, but `err` is still 0 at
that point.

If we reach `free_and_return` from the `ber_scanf` error path, `attrs`
was never set in the pblock with `slapi_pblock_set()`, so the
`slapi_pblock_get()` call will not retrieve the potentially partially
allocated `attrs` from the BER decoding.

Fixes: https://github.com/389ds/389-ds-base/issues/6848

Reviewed by: @tbordaz, @droideck (Thanks!)
---
 ldap/servers/slapd/search.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
index e9b2c3670..f9d03c090 100644
--- a/ldap/servers/slapd/search.c
+++ b/ldap/servers/slapd/search.c
@@ -235,6 +235,7 @@ do_search(Slapi_PBlock *pb)
         log_search_access(pb, base, scope, fstr, "decoding error");
         send_ldap_result(pb, LDAP_PROTOCOL_ERROR, NULL, NULL, 0,
                          NULL);
+        err = 1; /* Make sure we free everything */
         goto free_and_return;
     }
 
@@ -420,8 +421,17 @@ free_and_return:
     if (!psearch || rc != 0 || err != 0) {
         slapi_ch_free_string(&fstr);
         slapi_filter_free(filter, 1);
-        slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &attrs);
-        charray_free(attrs);    /* passing NULL is fine */
+
+        /* Get attrs from pblock if it was set there, otherwise use local attrs */
+        char **pblock_attrs = NULL;
+        slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &pblock_attrs);
+        if (pblock_attrs != NULL) {
+            charray_free(pblock_attrs); /* Free attrs from pblock */
+            slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, NULL);
+        } else if (attrs != NULL) {
+            /* Free attrs that were allocated but never put in pblock */
+            charray_free(attrs);
+        }
         charray_free(gerattrs); /* passing NULL is fine */
         /*
          * Fix for defect 526719 / 553356 : Persistent search op failed.
-- 
2.49.0