URL: https://github.com/SSSD/sssd/pull/439 Author: pbrezina Title: #439: sudo: always use srv_opts from id context Action: opened
PR body: """ Prior this patch, we remember id_ctx->srv_opts in sudo request to switch the latest usn values. This works fine most of the time but it may cause a crash. If we have two concurrent sudo refresh and one of these fails, it causes failover to try the next server and possibly replacing the old srv_opts with new one and it causes an access after free in the other refresh. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/439/head:pr439 git checkout pr439
From 2c0a0f2babecc3438734cff7bd01362723c59331 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <[email protected]> Date: Thu, 19 Oct 2017 10:39:21 +0200 Subject: [PATCH] sudo: always use srv_opts from id context Prior this patch, we remember id_ctx->srv_opts in sudo request to switch the latest usn values. This works fine most of the time but it may cause a crash. If we have two concurrent sudo refresh and one of these fails, it causes failover to try the next server and possibly replacing the old srv_opts with new one and it causes an access after free in the other refresh. --- src/providers/ldap/sdap_async_sudo.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c index e3f3da186..5909e4dbf 100644 --- a/src/providers/ldap/sdap_async_sudo.c +++ b/src/providers/ldap/sdap_async_sudo.c @@ -279,7 +279,6 @@ static char *sdap_sudo_get_filter(TALLOC_CTX *mem_ctx, struct sdap_sudo_refresh_state { struct sdap_sudo_ctx *sudo_ctx; struct tevent_context *ev; - struct sdap_server_opts *srv_opts; struct sdap_options *opts; struct sdap_id_op *sdap_op; struct sysdb_ctx *sysdb; @@ -405,9 +404,6 @@ static void sdap_sudo_refresh_connect_done(struct tevent_req *subreq) DEBUG(SSSDBG_TRACE_FUNC, "SUDO LDAP connection successful\n"); - /* Obtain srv_opts here in case of first connection. */ - state->srv_opts = state->sudo_ctx->id_ctx->srv_opts; - /* Renew host information if needed. */ if (state->sudo_ctx->run_hostinfo) { subreq = sdap_sudo_get_hostinfo_send(state, state->opts, @@ -559,7 +555,7 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq) /* remember new usn */ ret = sysdb_get_highest_usn(state, rules, rules_count, &usn); if (ret == EOK) { - sdap_sudo_set_usn(state->srv_opts, usn); + sdap_sudo_set_usn(state->sudo_ctx->id_ctx->srv_opts, usn); } else { DEBUG(SSSDBG_MINOR_FAILURE, "Unable to get highest USN [%d]: %s\n", ret, sss_strerror(ret));
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
