[PATCH] build and use-after free fixes found during Solaris work

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Mar 27 04:26:36 MDT 2013


On Wed, Mar 27, 2013 at 12:34:19PM +1100, Andrew Bartlett wrote:
> On Solaris-derived systems (OpenIndiana in this case) I found we needed
> to avoid the libidmap.so name, and I found a use-after-free in the auth
> code at debug level 5.
> 
> See Attached, please review and or push.

> diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
> index d9bea1c..70ce638 100644
> --- a/auth/ntlmssp/ntlmssp_server.c
> +++ b/auth/ntlmssp/ntlmssp_server.c
> @@ -449,11 +449,11 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
>  							      &gensec_ntlmssp->server_returned_info,
>  							      user_session_key, lm_session_key);
>  	}
> -	talloc_free(user_info);
>  
>  	if (!NT_STATUS_IS_OK(nt_status)) {
>  		DEBUG(5, (__location__ ": Checking NTLMSSP password for %s\\%s failed: %s\n", user_info->client.domain_name, user_info->client.account_name, nt_errstr(nt_status)));
>  	}
> +	talloc_free(user_info);

Can we make that a TALLOC_FREE? This nulls out the
user_info, which would have detected the use-after-free with
a nice segfault :-)

Volker

>  
>  	NT_STATUS_NOT_OK_RETURN(nt_status);
>  
> -- 
> 1.7.11.7
> 


-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de


More information about the samba-technical mailing list