[SCM] Samba Shared Repository - branch v4-14-test updated

Jule Anger janger at samba.org
Wed Sep 29 13:15:01 UTC 2021 

The branch, v4-14-test has been updated
       via  5a90b3e832c pyldb: Avoid use-after-free in msg_diff()
       via  9d61f2f2f3e ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
       via  9f79d4256f8 pytest:segfault: Add test for ldb.msg_diff()
      from  f53c532c229 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test


- Log -----------------------------------------------------------------
commit 5a90b3e832cda88339c5cebca7043e842b348e47
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Sep 13 11:15:17 2021 +1200

    pyldb: Avoid use-after-free in msg_diff()
    
    Make a deep copy of the message elements in msg_diff() so that if either
    of the input messages are deallocated early, the result does not refer
    to non-existing elements.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    
    [abartlet at samba.org backported from commit
     19a2af02f57d99db8ed3c6b028c3abdf4b553700 due to conflicts in
     the knownfail.d/python-segfaults file]
    
    Autobuild-User(v4-14-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-14-test): Wed Sep 29 13:14:22 UTC 2021 on sn-devel-184

commit 9d61f2f2f3eb3fd79bb2d78da8d64b0f8b66d3aa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Sep 14 11:08:41 2021 +1200

    ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    (cherry picked from commit c2bbe774ce03661666a1f48922a9ab681ef4f64b)

commit 9f79d4256f8f24127f06f0bf25092c5ca84a7d59
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Sep 13 11:34:56 2021 +1200

    pytest:segfault: Add test for ldb.msg_diff()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    
    [abartlet at samba.org backported form from commit
    a99a76722d6046a5d63032e3d2bb3f791da948a6 due to conflicts
    with other new segfault tests]

-----------------------------------------------------------------------

Summary of changes:
 lib/ldb/common/ldb_msg.c       |  6 ++++--
 lib/ldb/pyldb.c                | 18 ++++++++++++++++--
 python/samba/tests/segfault.py | 11 +++++++++++
 3 files changed, 31 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index 2346e66ec39..7131f013f71 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -876,8 +876,10 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
 	msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
 	if (msg2 == NULL) return NULL;
 
-	msg2->dn = ldb_dn_copy(msg2, msg2->dn);
-	if (msg2->dn == NULL) goto failed;
+	if (msg2->dn != NULL) {
+		msg2->dn = ldb_dn_copy(msg2, msg2->dn);
+		if (msg2->dn == NULL) goto failed;
+	}
 
 	for (i=0;i<msg2->num_elements;i++) {
 		struct ldb_message_element *el = &msg2->elements[i];
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 813cdb0870e..443b677c2c4 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -1804,6 +1804,7 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args)
 	struct ldb_message *diff;
 	struct ldb_context *ldb;
 	PyObject *py_ret;
+	TALLOC_CTX *mem_ctx = NULL;
 
 	if (!PyArg_ParseTuple(args, "OO", &py_msg_old, &py_msg_new))
 		return NULL;
@@ -1818,19 +1819,32 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args)
 		return NULL;
 	}
 
+	mem_ctx = talloc_new(NULL);
+	if (mem_ctx == NULL) {
+		PyErr_NoMemory();
+		return NULL;
+	}
+
 	ldb = pyldb_Ldb_AS_LDBCONTEXT(self);
-	ldb_ret = ldb_msg_difference(ldb, ldb,
+	ldb_ret = ldb_msg_difference(ldb, mem_ctx,
 	                             pyldb_Message_AsMessage(py_msg_old),
 	                             pyldb_Message_AsMessage(py_msg_new),
 	                             &diff);
 	if (ldb_ret != LDB_SUCCESS) {
+		talloc_free(mem_ctx);
 		PyErr_SetString(PyExc_RuntimeError, "Failed to generate the Ldb Message diff");
 		return NULL;
 	}
 
+	diff = ldb_msg_copy(mem_ctx, diff);
+	if (diff == NULL) {
+		PyErr_NoMemory();
+		return NULL;
+	}
+
 	py_ret = PyLdbMessage_FromMessage(diff);
 
-	talloc_unlink(ldb, diff);
+	talloc_free(mem_ctx);
 
 	return py_ret;
 }
diff --git a/python/samba/tests/segfault.py b/python/samba/tests/segfault.py
index 07e2d46d56a..eac314982a8 100644
--- a/python/samba/tests/segfault.py
+++ b/python/samba/tests/segfault.py
@@ -174,3 +174,14 @@ class SegfaultTests(samba.tests.TestCase):
     def test_dcerpc_idl_inline_arrays(self):
         """Inline arrays were incorrectly handled."""
         dnsserver.DNS_RPC_SERVER_INFO_DOTNET().pExtensions
+
+    @segfault_detector
+    def test_ldb_msg_diff(self):
+        samdb = self.get_samdb()
+
+        msg = ldb.Message()
+        msg.dn = ldb.Dn(samdb, '')
+        diff = samdb.msg_diff(msg, msg)
+
+        del msg
+        diff.dn


-- 
Samba Shared Repository

More information about the samba-cvs mailing list