[SCM] Samba Shared Repository - branch v4-15-test updated

Jule Anger janger at samba.org
Wed Sep 29 11:47:02 UTC 2021 

The branch, v4-15-test has been updated
       via  eb28bd54ac5 pyldb: Avoid use-after-free in msg_diff()
       via  e52ddfbe572 ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
       via  db294baff36 pytest:segfault: Add test for ldb.msg_diff()
      from  4b1e8535610 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test


- Log -----------------------------------------------------------------
commit eb28bd54ac5c36a9392ef19c49bf97a18b81974e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Sep 13 11:15:17 2021 +1200

    pyldb: Avoid use-after-free in msg_diff()
    
    Make a deep copy of the message elements in msg_diff() so that if either
    of the input messages are deallocated early, the result does not refer
    to non-existing elements.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    (cherry picked from commit 19a2af02f57d99db8ed3c6b028c3abdf4b553700)
    
    Autobuild-User(v4-15-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-15-test): Wed Sep 29 11:46:33 UTC 2021 on sn-devel-184

commit e52ddfbe5728487cb2c8b8ceeb2f63c5c15a7541
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Sep 14 11:08:41 2021 +1200

    ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    (cherry picked from commit c2bbe774ce03661666a1f48922a9ab681ef4f64b)

commit db294baff360f1c44c05798f6cda4584166adfd7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Sep 13 11:34:56 2021 +1200

    pytest:segfault: Add test for ldb.msg_diff()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    (cherry picked from commit a99a76722d6046a5d63032e3d2bb3f791da948a6)

-----------------------------------------------------------------------

Summary of changes:
 lib/ldb/common/ldb_msg.c       |  6 ++++--
 lib/ldb/pyldb.c                | 18 ++++++++++++++++--
 python/samba/tests/segfault.py | 12 ++++++++++++
 3 files changed, 32 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index 0179c35659b..57dfc5a04c2 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -876,8 +876,10 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
 	msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
 	if (msg2 == NULL) return NULL;
 
-	msg2->dn = ldb_dn_copy(msg2, msg2->dn);
-	if (msg2->dn == NULL) goto failed;
+	if (msg2->dn != NULL) {
+		msg2->dn = ldb_dn_copy(msg2, msg2->dn);
+		if (msg2->dn == NULL) goto failed;
+	}
 
 	for (i=0;i<msg2->num_elements;i++) {
 		struct ldb_message_element *el = &msg2->elements[i];
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index dadea2a7d6e..c264f361c40 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -1804,6 +1804,7 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args)
 	struct ldb_message *diff;
 	struct ldb_context *ldb;
 	PyObject *py_ret;
+	TALLOC_CTX *mem_ctx = NULL;
 
 	if (!PyArg_ParseTuple(args, "OO", &py_msg_old, &py_msg_new))
 		return NULL;
@@ -1818,19 +1819,32 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args)
 		return NULL;
 	}
 
+	mem_ctx = talloc_new(NULL);
+	if (mem_ctx == NULL) {
+		PyErr_NoMemory();
+		return NULL;
+	}
+
 	ldb = pyldb_Ldb_AS_LDBCONTEXT(self);
-	ldb_ret = ldb_msg_difference(ldb, ldb,
+	ldb_ret = ldb_msg_difference(ldb, mem_ctx,
 	                             pyldb_Message_AsMessage(py_msg_old),
 	                             pyldb_Message_AsMessage(py_msg_new),
 	                             &diff);
 	if (ldb_ret != LDB_SUCCESS) {
+		talloc_free(mem_ctx);
 		PyErr_SetString(PyExc_RuntimeError, "Failed to generate the Ldb Message diff");
 		return NULL;
 	}
 
+	diff = ldb_msg_copy(mem_ctx, diff);
+	if (diff == NULL) {
+		PyErr_NoMemory();
+		return NULL;
+	}
+
 	py_ret = PyLdbMessage_FromMessage(diff);
 
-	talloc_unlink(ldb, diff);
+	talloc_free(mem_ctx);
 
 	return py_ret;
 }
diff --git a/python/samba/tests/segfault.py b/python/samba/tests/segfault.py
index 11d3b3134f4..c316bdd5785 100644
--- a/python/samba/tests/segfault.py
+++ b/python/samba/tests/segfault.py
@@ -210,3 +210,15 @@ class SegfaultTests(samba.tests.TestCase):
         rec = TXTRecord(["a", "b", "c"])
         rec.wType = dnsp.DNS_TYPE_A
         rec.data
+
+    @no_gdb_backtrace
+    @segfault_detector
+    def test_ldb_msg_diff(self):
+        samdb = self.get_samdb()
+
+        msg = ldb.Message()
+        msg.dn = ldb.Dn(samdb, '')
+        diff = samdb.msg_diff(msg, msg)
+
+        del msg
+        diff.dn


-- 
Samba Shared Repository

More information about the samba-cvs mailing list