From e0e65f309dc0eb5582387acf1b2c2b5b3955f6b6 Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Wed, 17 May 2017 20:07:39 -0700
Subject: [PATCH] Fix double free of search base with page size 0

CVE: CVE-2017-9287
Upstream-Status: Submitted

Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
---
 servers/slapd/back-mdb/search.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c
index 009939d..d0db918 100644
--- a/servers/slapd/back-mdb/search.c
+++ b/servers/slapd/back-mdb/search.c
@@ -1066,7 +1066,8 @@ notfound:
 			/* check size limit */
 			if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {
 				if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) {
-					mdb_entry_return( op, e );
+					if (e != base)
+						mdb_entry_return( op, e );
 					e = NULL;
 					send_paged_response( op, rs, &lastid, tentries );
 					goto done;
-- 
2.1.4