[SCM] Samba Shared Repository - branch master updated

Thu Jan 20 10:05:01 UTC 2022

The branch, master has been updated
       via  7d16a56b9d1 s4:dsdb/vlv_pagination: fix segfault in vlv_results()
       via  19fa22b1fbc s4:dsdb/paged_results: fix segfault in paged_results()
      from  7055827b8ff HEIMDAL: move code from source4/heimdal* to third_party/heimdal*

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7d16a56b9d1cde8a5174381ef4924a2ea7be59bc
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Jan 19 15:57:08 2022 +0100

    s4:dsdb/vlv_pagination: fix segfault in vlv_results()
    
    It can happen that the vlv_results() failes, e.g. due to
    LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
    dereference ares->response, if ares is NULL.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Thu Jan 20 10:04:39 UTC 2022 on sn-devel-184

commit 19fa22b1fbcf33dbc4defe4dd2e487a642786c49
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Jan 19 15:57:08 2022 +0100

    s4:dsdb/paged_results: fix segfault in paged_results()
    
    It can happen that the paged_results() failes, e.g. due to
    LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
    dereference ares->response, if ares is NULL.
    
    We also should not call ldb_module_done() if paged_results()
    fails, as it was already called.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/ldb_modules/paged_results.c  | 19 ++++++++++++-------
 source4/dsdb/samdb/ldb_modules/vlv_pagination.c | 21 +++++++++++++--------
 2 files changed, 25 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/paged_results.c b/source4/dsdb/samdb/ldb_modules/paged_results.c
index 3eea3236e7d..2063e84e157 100644
--- a/source4/dsdb/samdb/ldb_modules/paged_results.c
+++ b/source4/dsdb/samdb/ldb_modules/paged_results.c
@@ -239,6 +239,7 @@ static int paged_search_by_dn_guid(struct ldb_module *module,
 
 static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
 {
+	struct ldb_extended *response = (ares != NULL ? ares->response : NULL);
 	struct ldb_paged_control *paged;
 	unsigned int i, num_ctrls;
 	int ret;
@@ -246,7 +247,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
 	if (ac->store == NULL) {
 		ret = LDB_ERR_OPERATIONS_ERROR;
 		return ldb_module_done(
-			ac->req, ac->controls, ares->response, ret);
+			ac->req, ac->controls, response, ret);
 	}
 
 	while (ac->store->last_i < ac->store->num_entries && ac->size > 0) {
@@ -276,7 +277,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
 			continue;
 		} else if (ret != LDB_SUCCESS) {
 			return ldb_module_done(
-				ac->req, ac->controls, ares->response, ret);
+				ac->req, ac->controls, response, ret);
 		}
 
 		ret = ldb_module_send_entry(ac->req, result->msgs[0],
@@ -318,7 +319,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
 	if (ac->controls == NULL) {
 		ret = LDB_ERR_OPERATIONS_ERROR;
 		return ldb_module_done(
-			ac->req, ac->controls, ares->response, ret);
+			ac->req, ac->controls, response, ret);
 	}
 	ac->controls[num_ctrls] = NULL;
 
@@ -331,7 +332,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
 	if (ac->controls[i] == NULL) {
 		ret = LDB_ERR_OPERATIONS_ERROR;
 		return ldb_module_done(
-			ac->req, ac->controls, ares->response, ret);
+			ac->req, ac->controls, response, ret);
 	}
 
 	ac->controls[i]->oid = talloc_strdup(ac->controls[i],
@@ -339,7 +340,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
 	if (ac->controls[i]->oid == NULL) {
 		ret = LDB_ERR_OPERATIONS_ERROR;
 		return ldb_module_done(
-			ac->req, ac->controls, ares->response, ret);
+			ac->req, ac->controls, response, ret);
 	}
 
 	ac->controls[i]->critical = 0;
@@ -348,7 +349,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
 	if (paged == NULL) {
 		ret = LDB_ERR_OPERATIONS_ERROR;
 		return ldb_module_done(
-			ac->req, ac->controls, ares->response, ret);
+			ac->req, ac->controls, response, ret);
 	}
 
 	ac->controls[i]->data = paged;
@@ -803,7 +804,11 @@ static int paged_search(struct ldb_module *module, struct ldb_request *req)
 
 		ret = paged_results(ac, NULL);
 		if (ret != LDB_SUCCESS) {
-			return ldb_module_done(req, NULL, NULL, ret);
+			/*
+			 * paged_results() will have called ldb_module_done
+			 * if an error occurred
+			 */
+			return ret;
 		}
 		return ldb_module_done(req, ac->controls, NULL, LDB_SUCCESS);
 	}
diff --git a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
index d6d6039e849..b389d3fd4f0 100644
--- a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
+++ b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
@@ -389,6 +389,7 @@ static int vlv_calc_real_offset(int offset, int denominator, int n_entries)
 
 static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
 {
+	struct ldb_extended *response = (ares != NULL ? ares->response : NULL);
 	struct ldb_vlv_resp_control *vlv;
 	unsigned int num_ctrls;
 	int ret, i, first_i, last_i;
@@ -399,7 +400,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
 	if (ac->store == NULL) {
 		ret = LDB_ERR_OPERATIONS_ERROR;
 		return ldb_module_done(
-			ac->req, ac->controls, ares->response, ret);
+			ac->req, ac->controls, response, ret);
 	}
 
 	if (ac->store->first_ref) {
@@ -428,7 +429,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
 				return ldb_module_done(
 					ac->req,
 					ac->controls,
-					ares->response,
+					response,
 					ret);
 			}
 		} else {
@@ -440,7 +441,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
 				return ldb_module_done(
 					ac->req,
 					ac->controls,
-					ares->response,
+					response,
 					ret);
 			}
 		}
@@ -480,7 +481,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
 				return ldb_module_done(
 					ac->req,
 					ac->controls,
-					ares->response,
+					response,
 					ret);
 			}
 
@@ -513,7 +514,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
 	if (ac->controls == NULL) {
 		ret = LDB_ERR_OPERATIONS_ERROR;
 		return ldb_module_done(
-			ac->req, ac->controls, ares->response, ret);
+			ac->req, ac->controls, response, ret);
 	}
 	ac->controls[num_ctrls] = NULL;
 
@@ -525,7 +526,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
 	if (ac->controls[i] == NULL) {
 		ret = LDB_ERR_OPERATIONS_ERROR;
 		return ldb_module_done(
-			ac->req, ac->controls, ares->response, ret);
+			ac->req, ac->controls, response, ret);
 	}
 
 	ac->controls[i]->oid = talloc_strdup(ac->controls[i],
@@ -533,7 +534,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
 	if (ac->controls[i]->oid == NULL) {
 		ret = LDB_ERR_OPERATIONS_ERROR;
 		return ldb_module_done(
-			ac->req, ac->controls, ares->response, ret);
+			ac->req, ac->controls, response, ret);
 	}
 
 	ac->controls[i]->critical = 0;
@@ -542,7 +543,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
 	if (vlv == NULL) {
 		ret = LDB_ERR_OPERATIONS_ERROR;
 		return ldb_module_done(
-			ac->req, ac->controls, ares->response, ret);
+			ac->req, ac->controls, response, ret);
 	}
 	ac->controls[i]->data = vlv;
 
@@ -891,6 +892,10 @@ static int vlv_search(struct ldb_module *module, struct ldb_request *req)
 
 		ret = vlv_results(ac, NULL);
 		if (ret != LDB_SUCCESS) {
+			/*
+			 * vlv_results() will have called ldb_module_done
+			 * if there was an error.
+			 */
 			return ret;
 		}
 		return ldb_module_done(req, ac->controls, NULL,


-- 
Samba Shared Repository

