The branch, master has been updated
via dfd7ad2... s4:dsdb Fix use of memory after free in repl_meta_data
from f4092ec... Plumb the SMB2 front end into the blocking lock backend.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit dfd7ad20832d848349ba2974e43a1d545df2aded
Author: Andrew Bartlett <[email protected]>
Date: Sat May 1 18:22:20 2010 +1000
s4:dsdb Fix use of memory after free in repl_meta_data
The upgraded link values are were allocated on tmp_ctx, and need to be
kept until they are written to the DB. If we don't give the correct
context, they will be gone after the talloc_free(tmp_ctx).
Found by Matthieu Patou <[email protected]>
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 1814b70..11e043f 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -1407,8 +1407,10 @@ static int replmd_update_la_val(TALLOC_CTX *mem_ctx,
struct ldb_val *v, struct d
/*
check if any links need upgrading from w2k format
+
+ The parent_ctx is the ldb_message_element which contains the values array
that dns[i].v points at, and which should be used for allocating any new value.
*/
-static int replmd_check_upgrade_links(struct parsed_dn *dns, uint32_t count,
const struct GUID *invocation_id)
+static int replmd_check_upgrade_links(struct parsed_dn *dns, uint32_t count,
struct ldb_message_element *parent_ctx, const struct GUID *invocation_id)
{
uint32_t i;
for (i=0; i<count; i++) {
@@ -1422,7 +1424,7 @@ static int replmd_check_upgrade_links(struct parsed_dn
*dns, uint32_t count, con
}
/* it's an old one that needs upgrading */
- ret = replmd_update_la_val(dns, dns[i].v, dns[i].dsdb_dn,
dns[i].dsdb_dn, invocation_id,
+ ret = replmd_update_la_val(parent_ctx->values, dns[i].v,
dns[i].dsdb_dn, dns[i].dsdb_dn, invocation_id,
1, 1, 0, 0, false);
if (ret != LDB_SUCCESS) {
return ret;
@@ -1574,8 +1576,8 @@ static int replmd_modify_la_add(struct ldb_module *module,
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
-
- ret = replmd_check_upgrade_links(old_dns, old_num_values,
invocation_id);
+
+ ret = replmd_check_upgrade_links(old_dns, old_num_values, old_el,
invocation_id);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
@@ -1700,7 +1702,7 @@ static int replmd_modify_la_delete(struct ldb_module
*module,
return LDB_ERR_OPERATIONS_ERROR;
}
- ret = replmd_check_upgrade_links(old_dns, old_el->num_values,
invocation_id);
+ ret = replmd_check_upgrade_links(old_dns, old_el->num_values, old_el,
invocation_id);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
@@ -1818,7 +1820,7 @@ static int replmd_modify_la_replace(struct ldb_module
*module,
return LDB_ERR_OPERATIONS_ERROR;
}
- ret = replmd_check_upgrade_links(old_dns, old_num_values,
invocation_id);
+ ret = replmd_check_upgrade_links(old_dns, old_num_values, old_el,
invocation_id);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
@@ -3693,7 +3695,7 @@ linked_attributes[0]:
return LDB_ERR_OPERATIONS_ERROR;
}
- ret = replmd_check_upgrade_links(pdn_list, old_el->num_values,
our_invocation_id);
+ ret = replmd_check_upgrade_links(pdn_list, old_el->num_values, old_el,
our_invocation_id);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
--
Samba Shared Repository
