Hi,
I came across this while testing other stuff. I think the issue was introduced in 1.10, 1.9 looks fine.
bye, Sumit
On 08/07/2013 10:51 AM, Sumit Bose wrote:
Hi,
I came across this while testing other stuff. I think the issue was introduced in 1.10, 1.9 looks fine.
bye, Sumit
0001-Fix-memory-context-for-a-state-member.patch
From b49edd8a0c16365f5243b8d2f076e54baeee4a27 Mon Sep 17 00:00:00 2001 From: Sumit Bosesbose@redhat.com Date: Wed, 7 Aug 2013 10:34:52 +0200 Subject: [PATCH] Fix memory context for a state member
primary_name was allocated on a temporary memory context but as it is a member of the state struct it should belong to the memory context of the state.
src/providers/ldap/sdap_async_initgroups.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index ec1cf3e..5242c1a 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2185,7 +2185,7 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req) goto done; }
- ret = sdap_get_group_primary_name(tmp_ctx, state->opts,
- ret = sdap_get_group_primary_name(state, state->opts, state->groups[state->group_iter], state->dom, &state->primary_name); if (ret != EOK) {
-- 1.7.7.6
Ack.
I think it is a little bit serious than the commit message implies :-) state->primary_name is referenced later in rfc2307bis_nested_groups_process() which is a callback for ldap search. Since tmp_ctx is freed we end up with use-after-free.
On Wed, Aug 07, 2013 at 11:06:46AM +0200, Pavel Březina wrote:
On 08/07/2013 10:51 AM, Sumit Bose wrote:
Hi,
I came across this while testing other stuff. I think the issue was introduced in 1.10, 1.9 looks fine.
bye, Sumit
0001-Fix-memory-context-for-a-state-member.patch
From b49edd8a0c16365f5243b8d2f076e54baeee4a27 Mon Sep 17 00:00:00 2001 From: Sumit Bosesbose@redhat.com Date: Wed, 7 Aug 2013 10:34:52 +0200 Subject: [PATCH] Fix memory context for a state member
primary_name was allocated on a temporary memory context but as it is a member of the state struct it should belong to the memory context of the state.
src/providers/ldap/sdap_async_initgroups.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index ec1cf3e..5242c1a 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2185,7 +2185,7 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req) goto done; }
- ret = sdap_get_group_primary_name(tmp_ctx, state->opts,
- ret = sdap_get_group_primary_name(state, state->opts, state->groups[state->group_iter], state->dom, &state->primary_name); if (ret != EOK) {
-- 1.7.7.6
Ack.
I think it is a little bit serious than the commit message implies :-) state->primary_name is referenced later in rfc2307bis_nested_groups_process() which is a callback for ldap search. Since tmp_ctx is freed we end up with use-after-free.
Pushed to master and sssd-1-10.
sssd-devel@lists.fedorahosted.org