From 06ab986bf74b3310ffbbcf344a4e7fbe90cea321 Mon Sep 17 00:00:00 2001 From: Stefan Gohmann Date: Fri, 8 Mar 2013 20:57:31 +0100 Subject: [PATCH] s4-dns: dlz_bind9: Check result to avoid segfault We saw this issue in a customer environment with many CNF objects. I wasn't able to reproduce it, but I got the following core dump: (gdb) directory samba4-4.0.0~rc6/source4/dns_server/ Source directories searched: /root/samba4-4.0.0~rc6/source4/dns_server:$cdir:$cwd (gdb) bt #0 0xb4b0bc13 in dlz_lookup_types (state=0x9648e48, zone=0xb659b9a8 "xxxxxx.xxxxx.de", name=0xb659bda8 "client9173", lookup=0xb6db7588, types=0x0) at ../source4/dns_server/dlz_bind9.c:830 #1 0xb4b0bdb8 in dlz_lookup (zone=0xb659b9a8 "xxxxxx.xxxxx.de", name=0xb659bda8 "client9173", dbdata=0x9648e48, lookup=0xb6db7588) at ../source4/dns_server/dlz_bind9.c:875 #2 0x080b43d8 in dlopen_dlz_lookup () #3 0xb7701755 in findnode () from /usr/lib/libdns.so.81 #4 0xb7701d22 in find () from /usr/lib/libdns.so.81 #5 0xb7639e5f in dns_db_find () from /usr/lib/libdns.so.81 #6 0x08075476 in query_find () #7 0x0807acb9 in ns_query_start () #8 0x08060712 in client_request () #9 0xb743022b in run () from /usr/lib/libisc.so.81 #10 0xb7216955 in start_thread () from /lib/i686/cmov/libpthread.so.0 #11 0xb706c1de in clone () from /lib/i686/cmov/libc.so.6 (gdb) f 0 #0 0xb4b0bc13 in dlz_lookup_types (state=0x9648e48, zone=0xb659b9a8 "xxxxxx.xxxxx.de", name=0xb659bda8 "client9173", lookup=0xb6db7588, types=0x0) at ../source4/dns_server/dlz_bind9.c:830 830 el = ldb_msg_find_element(res->msgs[0], "dnsRecord"); (gdb) p res->msgs $1 = (struct ldb_message **) 0x0 (gdb) p res->count $2 = 0 (gdb) --- source4/dns_server/dlz_bind9.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c index 689ed45..ac41dd0 100644 --- a/source4/dns_server/dlz_bind9.c +++ b/source4/dns_server/dlz_bind9.c @@ -825,7 +825,7 @@ static isc_result_t dlz_lookup_types(struct dlz_bind9_data *state, break; } } - if (ret != LDB_SUCCESS) { + if (ret != LDB_SUCCESS || res->count == 0) { talloc_free(tmp_ctx); return ISC_R_NOTFOUND; } -- 1.7.9.5