[PATCH 04/12] passdb: Avoid use-after-free when setting a plaintext password

abartlet at samba.org abartlet at samba.org
Sun Sep 7 17:30:30 MDT 2014

From: Andrew Bartlett <abartlet at samba.org>

The issue here is that pdb_set_plaintext_passwd() re-used the memory from pdb_get_pw_history() as input

We need to free this after we copy and set it.

Found by AddressSanitizer

Andrew Bartlett

Change-Id: I4e148e23ccbbe5444c969ff8f91709791c7696bb
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
 source3/passdb/pdb_get_set.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index a9b22bb..0d7f4cb 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -873,9 +873,10 @@ bool pdb_set_lanman_passwd(struct samu *sampass, const uint8 pwd[LM_HASH_LEN], e
 bool pdb_set_pw_history(struct samu *sampass, const uint8 *pwd, uint32_t historyLen, enum pdb_value_state flag)
 	if (historyLen && pwd){
-		data_blob_free(&(sampass->nt_pw_his));
+		DATA_BLOB *old_nt_pw_his = &(sampass->nt_pw_his);
 		sampass->nt_pw_his = data_blob_talloc(sampass,
-						pwd, historyLen*PW_HISTORY_ENTRY_LEN);
+						      pwd, historyLen*PW_HISTORY_ENTRY_LEN);
+		data_blob_free(old_nt_pw_his);
 		if (!sampass->nt_pw_his.length) {
 			DEBUG(0, ("pdb_set_pw_history: data_blob_talloc() failed!\n"));
 			return False;

More information about the samba-technical mailing list