The branch, master has been updated via 2e1ab13 s4-dsdb: Use tmp_ctx in kccsrv_check_deleted to avoid leaking memory onto part->dn via 26bfe70 s4-kcc: Avoid use-after-free of dn and add tmp_ctx from 1b487ad s3:selftest: add some tests against a share the requires encryption
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 2e1ab13f6ebb2c2cf746457d4783fe9bc5e86de0 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Aug 17 23:04:56 2012 +1000 s4-dsdb: Use tmp_ctx in kccsrv_check_deleted to avoid leaking memory onto part->dn The confusing use of do_dn as a memory context while legitimate created a bug when it was copied and modified to search on a DN from long-term state. By always using a temporary memory context it is clear what paramter is the memory context. This was found based on a log provided by Ricky Nance <ricky.na...@weaubleau.k12.mo.us>. Thanks Ricky! Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Fri Aug 17 18:24:10 CEST 2012 on sn-devel-104 commit 26bfe70def9905674c74bfe6f9d687b243af4891 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Aug 17 22:47:44 2012 +1000 s4-kcc: Avoid use-after-free of dn and add tmp_ctx By using a tmp_ctx we are clearer about allocating temporary memory. Andrew Bartlett ----------------------------------------------------------------------- Summary of changes: source4/dsdb/kcc/kcc_deleted.c | 17 +++++++++++------ source4/dsdb/kcc/kcc_periodic.c | 11 +++++++++-- 2 files changed, 20 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/kcc/kcc_deleted.c b/source4/dsdb/kcc/kcc_deleted.c index 0e1a428..63bb97c 100644 --- a/source4/dsdb/kcc/kcc_deleted.c +++ b/source4/dsdb/kcc/kcc_deleted.c @@ -83,30 +83,35 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx) struct ldb_result *res; const char *attrs[] = { "whenChanged", NULL }; unsigned int i; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } - ret = dsdb_get_deleted_objects_dn(s->samdb, mem_ctx, part->dn, &do_dn); + ret = dsdb_get_deleted_objects_dn(s->samdb, tmp_ctx, part->dn, &do_dn); if (ret != LDB_SUCCESS) { + TALLOC_FREE(tmp_ctx); /* some partitions have no Deleted Objects container */ continue; } if (!do_fs && ldb_dn_compare(ldb_get_config_basedn(s->samdb), part->dn)) { - ret = dsdb_search(s->samdb, do_dn, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs, + ret = dsdb_search(s->samdb, tmp_ctx, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs, DSDB_SEARCH_SHOW_RECYCLED, NULL); } else { if (do_fs) { DEBUG(1, ("Doing a full scan on %s and looking for deleted object\n", ldb_dn_get_linearized(part->dn))); } - ret = dsdb_search(s->samdb, part->dn, &res, part->dn, LDB_SCOPE_SUBTREE, attrs, + ret = dsdb_search(s->samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE, attrs, DSDB_SEARCH_SHOW_RECYCLED, "(isDeleted=TRUE)"); } if (ret != LDB_SUCCESS) { DEBUG(1,(__location__ ": Failed to search for deleted objects in %s\n", - ldb_dn_get_linearized(do_dn))); - talloc_free(do_dn); + ldb_dn_get_linearized(do_dn))); + TALLOC_FREE(tmp_ctx); continue; } @@ -134,7 +139,7 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx) } } - talloc_free(do_dn); + TALLOC_FREE(tmp_ctx); } return NT_STATUS_OK; diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c index f96347f..8f705d7 100644 --- a/source4/dsdb/kcc/kcc_periodic.c +++ b/source4/dsdb/kcc/kcc_periodic.c @@ -70,10 +70,16 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r, struct repsFromTo1 *r1 = &r->ctr.ctr1; struct GUID invocation_id = r1->source_dsa_invocation_id; unsigned int i, j; + TALLOC_CTX *tmp_ctx; /* we are expecting only version 1 */ SMB_ASSERT(r->version == 1); + tmp_ctx = talloc_new(p); + if (!tmp_ctx) { + return false; + } + for (i=0; i<res->count; i++) { struct ldb_message *msg = res->msgs[i]; struct ldb_message_element *el; @@ -93,23 +99,24 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r, } } for (j=0; j<el->num_values; j++) { - dn = ldb_dn_from_ldb_val(p, p->service->samdb, &el->values[j]); + dn = ldb_dn_from_ldb_val(tmp_ctx, p->service->samdb, &el->values[j]); if (!ldb_dn_validate(dn)) { talloc_free(dn); continue; } if (ldb_dn_compare(dn, p->dn) == 0) { - talloc_free(dn); DEBUG(5,("%s %s match on %s in %s\n", r1->other_info->dns_name, el->name, ldb_dn_get_linearized(dn), ldb_dn_get_linearized(msg->dn))); + talloc_free(tmp_ctx); return true; } talloc_free(dn); } } + talloc_free(tmp_ctx); return false; } -- Samba Shared Repository