The branch, master has been updated
via 2e1ab13 s4-dsdb: Use tmp_ctx in kccsrv_check_deleted to avoid
leaking memory onto part->dn
via 26bfe70 s4-kcc: Avoid use-after-free of dn and add tmp_ctx
from 1b487ad s3:selftest: add some tests against a share the requires
encryption
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2e1ab13f6ebb2c2cf746457d4783fe9bc5e86de0
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Aug 17 23:04:56 2012 +1000
s4-dsdb: Use tmp_ctx in kccsrv_check_deleted to avoid leaking memory onto
part->dn
The confusing use of do_dn as a memory context while legitimate
created a bug when it was copied and modified to search on a DN from
long-term state.
By always using a temporary memory context it is clear what paramter
is the memory context.
This was found based on a log provided by Ricky Nance
<ricky.na...@weaubleau.k12.mo.us>. Thanks Ricky!
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Fri Aug 17 18:24:10 CEST 2012 on sn-devel-104
commit 26bfe70def9905674c74bfe6f9d687b243af4891
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Aug 17 22:47:44 2012 +1000
s4-kcc: Avoid use-after-free of dn and add tmp_ctx
By using a tmp_ctx we are clearer about allocating temporary memory.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/kcc/kcc_deleted.c | 17 +++++++++++------
source4/dsdb/kcc/kcc_periodic.c | 11 +++++++++--
2 files changed, 20 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/kcc/kcc_deleted.c b/source4/dsdb/kcc/kcc_deleted.c
index 0e1a428..63bb97c 100644
--- a/source4/dsdb/kcc/kcc_deleted.c
+++ b/source4/dsdb/kcc/kcc_deleted.c
@@ -83,30 +83,35 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s,
TALLOC_CTX *mem_ctx)
struct ldb_result *res;
const char *attrs[] = { "whenChanged", NULL };
unsigned int i;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
- ret = dsdb_get_deleted_objects_dn(s->samdb, mem_ctx, part->dn,
&do_dn);
+ ret = dsdb_get_deleted_objects_dn(s->samdb, tmp_ctx, part->dn,
&do_dn);
if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(tmp_ctx);
/* some partitions have no Deleted Objects
container */
continue;
}
if (!do_fs && ldb_dn_compare(ldb_get_config_basedn(s->samdb),
part->dn)) {
- ret = dsdb_search(s->samdb, do_dn, &res, do_dn,
LDB_SCOPE_ONELEVEL, attrs,
+ ret = dsdb_search(s->samdb, tmp_ctx, &res, do_dn,
LDB_SCOPE_ONELEVEL, attrs,
DSDB_SEARCH_SHOW_RECYCLED, NULL);
} else {
if (do_fs) {
DEBUG(1, ("Doing a full scan on %s and looking
for deleted object\n",
ldb_dn_get_linearized(part->dn)));
}
- ret = dsdb_search(s->samdb, part->dn, &res, part->dn,
LDB_SCOPE_SUBTREE, attrs,
+ ret = dsdb_search(s->samdb, tmp_ctx, &res, part->dn,
LDB_SCOPE_SUBTREE, attrs,
DSDB_SEARCH_SHOW_RECYCLED,
"(isDeleted=TRUE)");
}
if (ret != LDB_SUCCESS) {
DEBUG(1,(__location__ ": Failed to search for deleted
objects in %s\n",
- ldb_dn_get_linearized(do_dn)));
- talloc_free(do_dn);
+ ldb_dn_get_linearized(do_dn)));
+ TALLOC_FREE(tmp_ctx);
continue;
}
@@ -134,7 +139,7 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s,
TALLOC_CTX *mem_ctx)
}
}
- talloc_free(do_dn);
+ TALLOC_FREE(tmp_ctx);
}
return NT_STATUS_OK;
diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c
index f96347f..8f705d7 100644
--- a/source4/dsdb/kcc/kcc_periodic.c
+++ b/source4/dsdb/kcc/kcc_periodic.c
@@ -70,10 +70,16 @@ static bool check_MasterNC(struct kccsrv_partition *p,
struct repsFromToBlob *r,
struct repsFromTo1 *r1 = &r->ctr.ctr1;
struct GUID invocation_id = r1->source_dsa_invocation_id;
unsigned int i, j;
+ TALLOC_CTX *tmp_ctx;
/* we are expecting only version 1 */
SMB_ASSERT(r->version == 1);
+ tmp_ctx = talloc_new(p);
+ if (!tmp_ctx) {
+ return false;
+ }
+
for (i=0; i<res->count; i++) {
struct ldb_message *msg = res->msgs[i];
struct ldb_message_element *el;
@@ -93,23 +99,24 @@ static bool check_MasterNC(struct kccsrv_partition *p,
struct repsFromToBlob *r,
}
}
for (j=0; j<el->num_values; j++) {
- dn = ldb_dn_from_ldb_val(p, p->service->samdb,
&el->values[j]);
+ dn = ldb_dn_from_ldb_val(tmp_ctx, p->service->samdb,
&el->values[j]);
if (!ldb_dn_validate(dn)) {
talloc_free(dn);
continue;
}
if (ldb_dn_compare(dn, p->dn) == 0) {
- talloc_free(dn);
DEBUG(5,("%s %s match on %s in %s\n",
r1->other_info->dns_name,
el->name,
ldb_dn_get_linearized(dn),
ldb_dn_get_linearized(msg->dn)));
+ talloc_free(tmp_ctx);
return true;
}
talloc_free(dn);
}
}
+ talloc_free(tmp_ctx);
return false;
}
--
Samba Shared Repository
