[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Tue May 19 10:46:02 UTC 2020 

The branch, master has been updated
       via  68380ebaa60 winbindd: Fix a use-after-free when winbind clients exit
      from  dd1f750293e s3: lib: Paranoia around use of snprintf copying into a fixed-size buffer from a getenv() pointer.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 68380ebaa60c64311cc1081f700d571abbf69f4f
Author: Volker Lendecke <vl at samba.org>
Date:   Fri May 15 15:19:45 2020 +0200

    winbindd: Fix a use-after-free when winbind clients exit
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14382
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Tue May 19 10:45:06 UTC 2020 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/winbindd_dual.c | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index 8ad2485324e..47efe988d65 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -202,7 +202,32 @@ struct tevent_req *wb_child_request_send(TALLOC_CTX *mem_ctx,
 
 	state->ev = ev;
 	state->child = child;
-	state->request = request;
+
+	/*
+	 * We have to make a copy of "request", because our caller
+	 * might drop us via talloc_free().
+	 *
+	 * The talloc_move() magic in wb_child_request_cleanup() keeps
+	 * all the requests, but if we are sitting deep within
+	 * writev_send() down to the client, we have given it the
+	 * pointer to "request". As our caller lost interest, it will
+	 * just free "request", while writev_send still references it.
+	 */
+
+	state->request = talloc_memdup(state, request, sizeof(*request));
+	if (tevent_req_nomem(state->request, req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	if (request->extra_data.data != NULL) {
+		state->request->extra_data.data = talloc_memdup(
+			state->request,
+			request->extra_data.data,
+			request->extra_len);
+		if (tevent_req_nomem(state->request->extra_data.data, req)) {
+			return tevent_req_post(req, ev);
+		}
+	}
 
 	subreq = tevent_queue_wait_send(state, ev, child->queue);
 	if (tevent_req_nomem(subreq, req)) {
@@ -330,6 +355,7 @@ static void wb_child_request_cleanup(struct tevent_req *req,
 
 		subreq = talloc_move(state->child->queue, &state->subreq);
 		talloc_move(subreq, &state->queue_subreq);
+		talloc_move(subreq, &state->request);
 		tevent_req_set_callback(subreq,
 					wb_child_request_orphaned,
 					state->child);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list