[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Fri Aug 17 10:25:02 MDT 2012


The branch, master has been updated
       via  2e1ab13 s4-dsdb: Use tmp_ctx in kccsrv_check_deleted to avoid leaking memory onto part->dn
       via  26bfe70 s4-kcc: Avoid use-after-free of dn and add tmp_ctx
      from  1b487ad s3:selftest: add some tests against a share the requires encryption

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2e1ab13f6ebb2c2cf746457d4783fe9bc5e86de0
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Aug 17 23:04:56 2012 +1000

    s4-dsdb: Use tmp_ctx in kccsrv_check_deleted to avoid leaking memory onto part->dn
    
    The confusing use of do_dn as a memory context while legitimate
    created a bug when it was copied and modified to search on a DN from
    long-term state.
    
    By always using a temporary memory context it is clear what paramter
    is the memory context.
    
    This was found based on a log provided by Ricky Nance
    <ricky.nance at weaubleau.k12.mo.us>.  Thanks Ricky!
    
    Andrew Bartlett
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Fri Aug 17 18:24:10 CEST 2012 on sn-devel-104

commit 26bfe70def9905674c74bfe6f9d687b243af4891
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Aug 17 22:47:44 2012 +1000

    s4-kcc: Avoid use-after-free of dn and add tmp_ctx
    
    By using a tmp_ctx we are clearer about allocating temporary memory.
    
    Andrew Bartlett

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/kcc/kcc_deleted.c  |   17 +++++++++++------
 source4/dsdb/kcc/kcc_periodic.c |   11 +++++++++--
 2 files changed, 20 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/kcc/kcc_deleted.c b/source4/dsdb/kcc/kcc_deleted.c
index 0e1a428..63bb97c 100644
--- a/source4/dsdb/kcc/kcc_deleted.c
+++ b/source4/dsdb/kcc/kcc_deleted.c
@@ -83,30 +83,35 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
 		struct ldb_result *res;
 		const char *attrs[] = { "whenChanged", NULL };
 		unsigned int i;
+		TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+		if (!tmp_ctx) {
+			return NT_STATUS_NO_MEMORY;
+		}
 
-		ret = dsdb_get_deleted_objects_dn(s->samdb, mem_ctx, part->dn, &do_dn);
+		ret = dsdb_get_deleted_objects_dn(s->samdb, tmp_ctx, part->dn, &do_dn);
 		if (ret != LDB_SUCCESS) {
+			TALLOC_FREE(tmp_ctx);
 			/* some partitions have no Deleted Objects
 			   container */
 			continue;
 		}
 
 		if (!do_fs && ldb_dn_compare(ldb_get_config_basedn(s->samdb), part->dn)) {
-			ret = dsdb_search(s->samdb, do_dn, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs,
+			ret = dsdb_search(s->samdb, tmp_ctx, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs,
 					DSDB_SEARCH_SHOW_RECYCLED, NULL);
 		} else {
 			if (do_fs) {
 				DEBUG(1, ("Doing a full scan on %s and looking for deleted object\n",
 						ldb_dn_get_linearized(part->dn)));
 			}
-			ret = dsdb_search(s->samdb, part->dn, &res, part->dn, LDB_SCOPE_SUBTREE, attrs,
+			ret = dsdb_search(s->samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE, attrs,
 					DSDB_SEARCH_SHOW_RECYCLED, "(isDeleted=TRUE)");
 		}
 
 		if (ret != LDB_SUCCESS) {
 			DEBUG(1,(__location__ ": Failed to search for deleted objects in %s\n",
-				 ldb_dn_get_linearized(do_dn)));
-			talloc_free(do_dn);
+				 ldb_dn_get_linearized(do_dn)));	
+			TALLOC_FREE(tmp_ctx);
 			continue;
 		}
 
@@ -134,7 +139,7 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
 			}
 		}
 
-		talloc_free(do_dn);
+		TALLOC_FREE(tmp_ctx);
 	}
 
 	return NT_STATUS_OK;
diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c
index f96347f..8f705d7 100644
--- a/source4/dsdb/kcc/kcc_periodic.c
+++ b/source4/dsdb/kcc/kcc_periodic.c
@@ -70,10 +70,16 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r,
 	struct repsFromTo1 *r1 = &r->ctr.ctr1;
 	struct GUID invocation_id = r1->source_dsa_invocation_id;
 	unsigned int i, j;
+	TALLOC_CTX *tmp_ctx;
 
 	/* we are expecting only version 1 */
 	SMB_ASSERT(r->version == 1);
 
+	tmp_ctx = talloc_new(p);
+	if (!tmp_ctx) {
+		return false;
+	}
+
 	for (i=0; i<res->count; i++) {
 		struct ldb_message *msg = res->msgs[i];
 		struct ldb_message_element *el;
@@ -93,23 +99,24 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r,
 			}
 		}
 		for (j=0; j<el->num_values; j++) {
-			dn = ldb_dn_from_ldb_val(p, p->service->samdb, &el->values[j]);
+			dn = ldb_dn_from_ldb_val(tmp_ctx, p->service->samdb, &el->values[j]);
 			if (!ldb_dn_validate(dn)) {
 				talloc_free(dn);
 				continue;
 			}
 			if (ldb_dn_compare(dn, p->dn) == 0) {
-				talloc_free(dn);
 				DEBUG(5,("%s %s match on %s in %s\n",
 					 r1->other_info->dns_name,
 					 el->name,
 					 ldb_dn_get_linearized(dn),
 					 ldb_dn_get_linearized(msg->dn)));
+				talloc_free(tmp_ctx);
 				return true;
 			}
 			talloc_free(dn);
 		}
 	}
+	talloc_free(tmp_ctx);
 	return false;
 }
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list