The branch, master has been updated
via 05b54cc talloc_stack: Call talloc destructors while frame is still
around
via f75e8f5 check return value before using key_values
via 6b52d21 ldb: check return values
from 97eaeea krb5_wrap: fix keep_old_entries logic for older kerberos
libraries
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 05b54cc259645f69e14de2703724c284ed25838c
Author: Volker Lendecke <[email protected]>
Date: Fri Jun 22 16:25:10 2018 +0200
talloc_stack: Call talloc destructors while frame is still around
This fixes "samba-tool ntacl set -d10"
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Sat Jun 23 04:56:44 CEST 2018 on sn-devel-144
commit f75e8f58cd2390c092631803d333adadb475306a
Author: Andrej Gessel <[email protected]>
Date: Tue Jun 19 10:07:51 2018 +0200
check return value before using key_values
there are also mem leaks in this function
Signed-off-by: Andrej Gessel <[email protected]>
Reviewed-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 6b52d21e6040699a72aff12fd6ebb34534dcb457
Author: Andrej Gessel <[email protected]>
Date: Fri Jun 15 11:02:15 2018 +0200
ldb: check return values
Signed-off-by: Andrej Gessel <[email protected]>
Reviewed-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/ldb_tdb/ldb_index.c | 20 +++++++++++++++++---
lib/ldb/ldb_tdb/ldb_search.c | 5 ++++-
lib/util/talloc_stack.c | 29 +++++++++++++++++++++++++++++
3 files changed, 50 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/ldb_tdb/ldb_index.c b/lib/ldb/ldb_tdb/ldb_index.c
index d59b4b1..fb60612 100644
--- a/lib/ldb/ldb_tdb/ldb_index.c
+++ b/lib/ldb/ldb_tdb/ldb_index.c
@@ -450,6 +450,10 @@ normal_index:
list->count = el->values[0].length / LTDB_GUID_SIZE;
list->dn = talloc_array(list, struct ldb_val, list->count);
+ if (list->dn == NULL) {
+ talloc_free(msg);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
/*
* The actual data is on msg, due to
@@ -715,6 +719,9 @@ static int ltdb_dn_list_store(struct ldb_module *module,
struct ldb_dn *dn,
}
key.dptr = discard_const_p(unsigned char, ldb_dn_get_linearized(dn));
+ if (key.dptr == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
key.dsize = strlen((char *)key.dptr);
rec = tdb_fetch(ltdb->idxptr->itdb, key);
@@ -1758,13 +1765,14 @@ static int ltdb_index_filter(struct ltdb_private *ltdb,
struct guid_tdb_key,
dn_list->count);
+ if (key_values == NULL) {
+ talloc_free(keys);
+ return ldb_module_oom(ac->module);
+ }
for (i = 0; i < dn_list->count; i++) {
keys[i].dptr = key_values[i].guid_key;
keys[i].dsize = sizeof(key_values[i].guid_key);
}
- if (key_values == NULL) {
- return ldb_module_oom(ac->module);
- }
} else {
for (i = 0; i < dn_list->count; i++) {
keys[i].dptr = NULL;
@@ -1781,6 +1789,7 @@ static int ltdb_index_filter(struct ltdb_private *ltdb,
&dn_list->dn[i],
&keys[num_keys]);
if (ret != LDB_SUCCESS) {
+ talloc_free(keys);
return ret;
}
@@ -1818,6 +1827,7 @@ static int ltdb_index_filter(struct ltdb_private *ltdb,
bool matched;
msg = ldb_msg_new(ac);
if (!msg) {
+ talloc_free(keys);
return LDB_ERR_OPERATIONS_ERROR;
}
@@ -1838,6 +1848,7 @@ static int ltdb_index_filter(struct ltdb_private *ltdb,
if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_OBJECT) {
/* an internal error */
+ talloc_free(keys);
talloc_free(msg);
return LDB_ERR_OPERATIONS_ERROR;
}
@@ -1860,6 +1871,7 @@ static int ltdb_index_filter(struct ltdb_private *ltdb,
}
if (ret != LDB_SUCCESS) {
+ talloc_free(keys);
talloc_free(msg);
return ret;
}
@@ -1874,6 +1886,7 @@ static int ltdb_index_filter(struct ltdb_private *ltdb,
talloc_free(msg);
if (ret == -1) {
+ talloc_free(keys);
return LDB_ERR_OPERATIONS_ERROR;
}
@@ -1883,6 +1896,7 @@ static int ltdb_index_filter(struct ltdb_private *ltdb,
* is the callbacks responsiblity, and should
* not be talloc_free()'ed */
ac->request_terminated = true;
+ talloc_free(keys);
return ret;
}
diff --git a/lib/ldb/ldb_tdb/ldb_search.c b/lib/ldb/ldb_tdb/ldb_search.c
index 18f8405..832be9a 100644
--- a/lib/ldb/ldb_tdb/ldb_search.c
+++ b/lib/ldb/ldb_tdb/ldb_search.c
@@ -102,8 +102,11 @@ static int msg_add_distinguished_name(struct ldb_message
*msg)
el.values = &val;
el.flags = 0;
val.data = (uint8_t *)ldb_dn_alloc_linearized(msg, msg->dn);
+ if (val.data == NULL) {
+ return -1;
+ }
val.length = strlen((char *)val.data);
-
+
ret = msg_add_element(msg, &el, 1);
return ret;
}
diff --git a/lib/util/talloc_stack.c b/lib/util/talloc_stack.c
index 9c72c80..4971150 100644
--- a/lib/util/talloc_stack.c
+++ b/lib/util/talloc_stack.c
@@ -94,6 +94,7 @@ static int talloc_pop(TALLOC_CTX *frame)
{
struct talloc_stackframe *ts =
(struct talloc_stackframe *)SMB_THREAD_GET_TLS(global_ts);
+ size_t blocks;
int i;
/* Catch lazy frame-freeing. */
@@ -107,6 +108,34 @@ static int talloc_pop(TALLOC_CTX *frame)
#endif
}
+ for (i=0; i<10; i++) {
+
+ /*
+ * We have to free our children first, calling all
+ * destructors. If a destructor hanging deeply off
+ * "frame" uses talloc_tos() itself while freeing the
+ * toplevel frame, we panic because that nested
+ * talloc_tos() in the destructor does not find a
+ * stackframe anymore.
+ *
+ * Do it in a loop up to 10 times as the destructors
+ * might use more of talloc_tos().
+ */
+
+ talloc_free_children(frame);
+
+ blocks = talloc_total_blocks(frame);
+ if (blocks == 1) {
+ break;
+ }
+ }
+
+ if (blocks != 1) {
+ DBG_WARNING("Left %zu blocks after %i "
+ "talloc_free_children(frame) calls\n",
+ blocks, i);
+ }
+
for (i=ts->talloc_stacksize-1; i>0; i--) {
if (frame == ts->talloc_stack[i]) {
break;
--
Samba Shared Repository
