ehlo, The dbus_req and associated talloc context are no longer valid after execution of the function sbus_request_return_and_finish even if error code was returned.
Simple patch is attached. LS
>From 91c689ba310b9f9351ae43d2676261e8e7426d15 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Sat, 24 Jan 2015 09:17:35 -0500 Subject: [PATCH] PROXY: Fix use after free The dbus_req and associated talloc context are no longer valid after execution of the function sbus_request_return_and_finish even if error code was returned. ==32479== Invalid read of size 8 ==32479== at 0x131F275F: client_registration (proxy_init.c:474) ==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69) ==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555) ==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135) ==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907) ==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114) ==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530) ==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634) ==32479== by 0x89B5776: std_event_loop_wait (tevent_standard.c:140) ==32479== by 0x529E255: server_loop (server.c:668) ==32479== by 0x40DBC5: main (data_provider_be.c:2915) ==32479== Address 0xb700858 is 104 bytes inside a block of size 136 free'd ==32479== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32479== by 0x8BBE462: _talloc_free (in /usr/lib64/libtalloc.so.2.1.1) ==32479== by 0x52971A4: sbus_request_finish (sssd_dbus_request.c:95) ==32479== by 0x529731A: sbus_request_return_and_finish (sssd_dbus_request.c:119) ==32479== by 0x131F264D: client_registration (proxy_init.c:443) ==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69) ==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555) ==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135) ==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907) ==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114) ==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530) ==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634) Resolves: https://fedorahosted.org/sssd/ticket/2573 --- src/providers/proxy/proxy_init.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c index f76ad02ae66248ecc5b499e29906bcc537684705..791942420d2dd09d5d0ee1ca27e4969149f85ba3 100644 --- a/src/providers/proxy/proxy_init.c +++ b/src/providers/proxy/proxy_init.c @@ -445,7 +445,7 @@ static int client_registration(struct sbus_request *dbus_req, void *data) if (hret != HASH_SUCCESS) { DEBUG(SSSDBG_CRIT_FAILURE, "Hash error [%d][%s]\n", hret, hash_error_string(hret)); - sbus_disconnect(dbus_req->conn); + sbus_disconnect(conn); } /* Signal that the child is up and ready to receive the request */ @@ -464,7 +464,7 @@ static int client_registration(struct sbus_request *dbus_req, void *data) } init_ctx = tevent_req_data(child_ctx->init_req, struct pc_init_ctx); - init_ctx->conn = dbus_req->conn; + init_ctx->conn = conn; tevent_req_done(child_ctx->init_req); child_ctx->init_req = NULL; -- 2.1.0
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
