389-ds-base/SOURCES/0015-Issue-6895-Crash-if-repl-keep-alive-entry-can-not-be.patch

From ffc3a81ed5852b7f1fbaed79b9b776af23d65b7c Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 23 Jul 2025 19:35:32 -0400
Subject: [PATCH] Issue 6895 - Crash if repl keep alive entry can not be
 created

Description:

Heap use after free when logging that the replicaton keep-alive entry can not
be created. slapi_add_internal_pb() frees the slapi entry, then
we try and get the dn from the entry and we get a use-after-free crash.

Relates: https://github.com/389ds/389-ds-base/issues/6895

Reviewed by: spichugi(Thanks!)
---
 ldap/servers/plugins/chainingdb/cb_config.c        | 3 +--
 ldap/servers/plugins/posix-winsync/posix-winsync.c | 1 -
 ldap/servers/plugins/replication/repl5_init.c      | 3 ---
 ldap/servers/plugins/replication/repl5_replica.c   | 8 ++++----
 4 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/ldap/servers/plugins/chainingdb/cb_config.c b/ldap/servers/plugins/chainingdb/cb_config.c
index 40a7088d7..24fa1bcb3 100644
--- a/ldap/servers/plugins/chainingdb/cb_config.c
+++ b/ldap/servers/plugins/chainingdb/cb_config.c
@@ -44,8 +44,7 @@ cb_config_add_dse_entries(cb_backend *cb, char **entries, char *string1, char *s
         slapi_pblock_get(util_pb, SLAPI_PLUGIN_INTOP_RESULT, &res);
         if (LDAP_SUCCESS != res && LDAP_ALREADY_EXISTS != res) {
             slapi_log_err(SLAPI_LOG_ERR, CB_PLUGIN_SUBSYSTEM,
-                          "cb_config_add_dse_entries - Unable to add config entry (%s) to the DSE: %s\n",
-                          slapi_entry_get_dn(e),
+                          "cb_config_add_dse_entries - Unable to add config entry to the DSE: %s\n",
                           ldap_err2string(res));
             rc = res;
             slapi_pblock_destroy(util_pb);
diff --git a/ldap/servers/plugins/posix-winsync/posix-winsync.c b/ldap/servers/plugins/posix-winsync/posix-winsync.c
index 51a55b643..3a002bb70 100644
--- a/ldap/servers/plugins/posix-winsync/posix-winsync.c
+++ b/ldap/servers/plugins/posix-winsync/posix-winsync.c
@@ -1626,7 +1626,6 @@ posix_winsync_end_update_cb(void *cbdata __attribute__((unused)),
                           "posix_winsync_end_update_cb: "
                           "add task entry\n");
         }
-        /* slapi_entry_free(e_task); */
         slapi_pblock_destroy(pb);
         pb = NULL;
         posix_winsync_config_reset_MOFTaskCreated();
diff --git a/ldap/servers/plugins/replication/repl5_init.c b/ldap/servers/plugins/replication/repl5_init.c
index 8bc0b5372..5047fb8dc 100644
--- a/ldap/servers/plugins/replication/repl5_init.c
+++ b/ldap/servers/plugins/replication/repl5_init.c
@@ -682,7 +682,6 @@ create_repl_schema_policy(void)
                       repl_schema_top,
                       ldap_err2string(return_value));
         rc = -1;
-        slapi_entry_free(e); /* The entry was not consumed */
         goto done;
     }
     slapi_pblock_destroy(pb);
@@ -703,7 +702,6 @@ create_repl_schema_policy(void)
                       repl_schema_supplier,
                       ldap_err2string(return_value));
         rc = -1;
-        slapi_entry_free(e); /* The entry was not consumed */
         goto done;
     }
     slapi_pblock_destroy(pb);
@@ -724,7 +722,6 @@ create_repl_schema_policy(void)
                       repl_schema_consumer,
                       ldap_err2string(return_value));
         rc = -1;
-        slapi_entry_free(e); /* The entry was not consumed */
         goto done;
     }
     slapi_pblock_destroy(pb);
diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
index 59062b46b..a97c807e9 100644
--- a/ldap/servers/plugins/replication/repl5_replica.c
+++ b/ldap/servers/plugins/replication/repl5_replica.c
@@ -465,10 +465,10 @@ replica_subentry_create(const char *repl_root, ReplicaId rid)
     if (return_value != LDAP_SUCCESS &&
         return_value != LDAP_ALREADY_EXISTS &&
         return_value != LDAP_REFERRAL /* CONSUMER */) {
-        slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_subentry_create - Unable to "
-                                                       "create replication keep alive entry %s: error %d - %s\n",
-                      slapi_entry_get_dn_const(e),
-                      return_value, ldap_err2string(return_value));
+        slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_subentry_create - "
+                "Unable to create replication keep alive entry 'cn=%s %d,%s': error %d - %s\n",
+                KEEP_ALIVE_ENTRY, rid, repl_root,
+                return_value, ldap_err2string(return_value));
         rc = -1;
         goto done;
     }
-- 
2.49.0