[PATCH] Fixes for winbindd
Volker Lendecke
Volker.Lendecke at SerNet.DE
Fri Jul 25 04:19:12 MDT 2014
On Fri, Jul 25, 2014 at 02:41:10PM +1200, Garming Sam wrote:
> Hi,
>
> During an auto-build, we managed to come across a segfault in
> winbindd as a result of an RODC DNS update.
>
> We have to ensure that the dns_names parameter is preserved on a
> long term memory context.
>
> The second patch fixes a use after free error when the first error happens.
>
>
> Please review and push.
>
>
> Cheers,
>
>
> Garming Sam
> >From 5bc91f9e43f44e0476c1083a8bd5145c094492f8 Mon Sep 17 00:00:00 2001
> From: Andrew Bartlett <abartlet at samba.org>
> Date: Thu, 24 Jul 2014 15:54:58 +1200
> Subject: [PATCH 1/2] libcli/auth: Ensure that the dns_names in/out parameter
> is preserved
>
> This is in dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords, which has
> status variables filled in by the server and placed in this in/out
> array.
>
> This showed up as a segfault in winbindd during RODC DNS update.
>
> Andrew Bartlett
>
> Signed-off-by: Garming Sam <garming at catalyst.net.nz>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
> ---
> libcli/auth/netlogon_creds_cli.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> index d709e6a..a461dc6 100644
> --- a/libcli/auth/netlogon_creds_cli.c
> +++ b/libcli/auth/netlogon_creds_cli.c
> @@ -2754,7 +2754,14 @@ static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_done(struct tev
> NTSTATUS result;
> bool ok;
>
> - status = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_recv(subreq, state,
> + /*
> + * We use state->dns_names as the memory context, as this is
> + * the only in/out variable and it has been overwritten by the
> + * out parameter from the server.
> + *
> + * We need to preserve the return value until the caller can use it.
> + */
> + status = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_recv(subreq, state->dns_names,
Can you explain that a bit more closely? As far as I can
see, netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords is
only used in a synchronous fashion. And as "state" lives as
long as the sync function ponders the request, at least
inside that function this should not make a difference. What
is the sequence of talloc_free()'s that leads to the
segfault you saw?
> As found during investigation of the previous commit, when the RPC
> call fails totally, we must only try and send one error reply.
>
> Andrew Bartlett
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Signed-off-by: Garming Sam <garming at catalyst.net.nz>
> Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
> ---
> source3/winbindd/winbindd_irpc.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c
> index cf58a08..aeaea71 100644
> --- a/source3/winbindd/winbindd_irpc.c
> +++ b/source3/winbindd/winbindd_irpc.c
> @@ -51,6 +51,7 @@ static void wb_irpc_forward_callback(struct tevent_req *subreq)
> DEBUG(0,("RPC callback failed for %s - %s\n",
> opname, nt_errstr(status)));
> irpc_send_reply(st->msg, status);
> + return;
> }
>
> irpc_send_reply(st->msg, status);
Reviewed-by: Me.
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list