From 3843896488b0b895cff033456630954108d7a1d3 Mon Sep 17 00:00:00 2001
From: jkjo92 <jkjo92@samsung.com>
Date: Thu, 27 Jul 2017 11:37:51 +0900
Subject: [PATCH] fix security svace issue

Change-Id: Ic3f37794e46d4db03f57973257bacfe3d75c18d9
Signed-off-by: jkjo92 <jkjo92@samsung.com>
---
 server/auth_discovery/src/BoundADProvider.cpp | 1 +
 server/src/AsmStorage.cpp                     | 9 ++++++---
 2 files changed, 7 insertions(+), 3 deletions(-)
 mode change 100644 => 100755 server/auth_discovery/src/BoundADProvider.cpp
 mode change 100644 => 100755 server/src/AsmStorage.cpp

diff --git a/server/auth_discovery/src/BoundADProvider.cpp b/server/auth_discovery/src/BoundADProvider.cpp
old mode 100644
new mode 100755
index 0a2bd7b..f2a26b8
--- a/server/auth_discovery/src/BoundADProvider.cpp
+++ b/server/auth_discovery/src/BoundADProvider.cpp
@@ -54,6 +54,7 @@ BoundADProvider::getAuthStubList(void)
 		stubList->push_back(it->second);
 		_INFO("");
 	}
+	delete __stubCache;
 	_INFO("");
 	return stubList;
 }
diff --git a/server/src/AsmStorage.cpp b/server/src/AsmStorage.cpp
old mode 100644
new mode 100755
index add6a9f..604402d
--- a/server/src/AsmStorage.cpp
+++ b/server/src/AsmStorage.cpp
@@ -799,6 +799,7 @@ AsmStorage::searchData(IStorageParcel *parcel)
 	char q[BUFFLEN] = {0};
 	char *value = NULL;
 	char query[BUFFLEN] = {0};
+	char execquery[BUFFLEN] = {0};
 
 
 	SearchCbData cbData;
@@ -1029,7 +1030,8 @@ AsmStorage::searchData(IStorageParcel *parcel)
 	cbData.resList = resultList;
 
 	_INFO("AsmStorage::searchData:: query = [%s]", query);
-	int ret = sqlite3_exec(dbHandle, query, searchItemCb, &cbData, &errMsg);
+	sqlite3_mprintf(execquery, query);
+	int ret = sqlite3_exec(dbHandle, execquery, searchItemCb, &cbData, &errMsg);
 	_INFO("AsmStorage::searchData:: ERROR MSG : [%s]", errMsg);
 	CATCH_IF_FAIL(ret == SQLITE_OK);
 
@@ -1057,6 +1059,7 @@ AsmStorage::deleteData(IStorageParcel *parcel)
 	char *errMsg = NULL;
 	char q[BUFFLEN] = {0};
 	char *value = NULL;
+	char execquery[BUFFLEN] = {0};
 	char query[BUFFLEN] = {0};
 	RET_IF_FAIL(parcel != NULL, SQLITE_ERROR);
 	int ret = 0;
@@ -1154,8 +1157,8 @@ AsmStorage::deleteData(IStorageParcel *parcel)
 		_ERR("AUTHLIST does not allow deletion of entries");
 		goto CATCH;
 	}
-
-	ret = sqlite3_exec(dbHandle, query, NULL, 0, &errMsg);
+	sqlite3_mprintf(execquery, query);
+	ret = sqlite3_exec(dbHandle, execquery, NULL, 0, &errMsg);
 	_INFO("AsmStorage::deleteData:: ERROR MSG : [%s]", errMsg);
 	CATCH_IF_FAIL(ret == SQLITE_OK);
 
-- 
2.7.4