plug potential ld_error leak (ITS#4064)

diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index 5d2d74103ca2fa62806832edf493d119fe44be52..99893b285d87ccbd01bcae215868ffc8b23d57ce 100644 (file)
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -689,6 +689,9 @@ ldap_int_sasl_bind(
        if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
                rc = ld->ld_errno = sasl_err2ldap( saslrc );
 #if SASL_VERSION_MAJOR >= 2
+               if ( ld->ld_error ) {
+                       LDAP_FREE( ld->ld_error );
+               }
                ld->ld_error = LDAP_STRDUP( sasl_errdetail( ctx ) );
 #endif
                goto done;
@@ -764,6 +767,9 @@ ldap_int_sasl_bind(
                if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
                        ld->ld_errno = sasl_err2ldap( saslrc );
 #if SASL_VERSION_MAJOR >= 2
+                       if ( ld->ld_error ) {
+                               LDAP_FREE( ld->ld_error );
+                       }
                        ld->ld_error = LDAP_STRDUP( sasl_errdetail( ctx ) );
 #endif
                        rc = ld->ld_errno;
@@ -775,6 +781,9 @@ ldap_int_sasl_bind(
 
        if ( saslrc != SASL_OK ) {
 #if SASL_VERSION_MAJOR >= 2
+               if ( ld->ld_error ) {
+                       LDAP_FREE( ld->ld_error );
+               }
                ld->ld_error = LDAP_STRDUP( sasl_errdetail( ctx ) );
 #endif
                rc = ld->ld_errno = sasl_err2ldap( saslrc );

diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 5e43f8aeb6ae26c1267b066588b04e6a9518d041..71a5e33d20b6f14a752976d0ca622ccc08386afd 100644 (file)
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -753,6 +753,10 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 
                if ((err = ERR_peek_error())) {
                        char buf[256];
+
+                       if ( ld->ld_error ) {
+                               LDAP_FREE( ld->ld_error );
+                       }
                        ld->ld_error = LDAP_STRDUP(ERR_error_string(err, buf));
 #ifdef HAVE_EBCDIC
                        if ( ld->ld_error ) __etoa(ld->ld_error);
@@ -1036,7 +1040,10 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
                        Debug( LDAP_DEBUG_ANY,
                                "TLS: unable to get common name from peer certificate.\n",
                                0, 0, 0 );
-                       ret = LDAP_CONNECT_ERROR;
+                       ret = LDAP_CONNECT_ERROR;
+                       if ( ld->ld_error ) {
+                               LDAP_FREE( ld->ld_error );
+                       }
                        ld->ld_error = LDAP_STRDUP(
                                _("TLS: unable to get CN from peer certificate"));
 
@@ -1061,12 +1068,15 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
                }
 
                if( ret == LDAP_LOCAL_ERROR ) {
-                        Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
-                                "common name in certificate (%s).\n", 
-                                name, buf, 0 );
-                        ret = LDAP_CONNECT_ERROR;
-                        ld->ld_error = LDAP_STRDUP(
-                                _("TLS: hostname does not match CN in peer certificate"));
+                       Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+                               "common name in certificate (%s).\n", 
+                               name, buf, 0 );
+                       ret = LDAP_CONNECT_ERROR;
+                       if ( ld->ld_error ) {
+                               LDAP_FREE( ld->ld_error );
+                       }
+                       ld->ld_error = LDAP_STRDUP(
+                               _("TLS: hostname does not match CN in peer certificate"));
                }
        }
        X509_free(x);