[PATCH 11/12] torture: Fix use-after-free in ldap.nested-search
Kamen Mazdrashki
kamenim at samba.org
Sun Sep 7 21:49:04 MDT 2014
Interesting, ldb_search_default_callback() frees an argument we pass to it.
imo, this is poor calling convention. What about fixing it? I can take on
this?
Cheers,
Kamen
On Mon, Sep 8, 2014 at 1:30 AM, <abartlet at samba.org> wrote:
> From: Andrew Bartlett <abartlet at samba.org>
>
> Found by AddressSanitizer
>
> Change-Id: Ie3bb4054201382cacb4b296308d561a3548f8cff
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> ---
> source4/torture/ldap/nested_search.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/source4/torture/ldap/nested_search.c
> b/source4/torture/ldap/nested_search.c
> index 47299c2..04b7f4d 100644
> --- a/source4/torture/ldap/nested_search.c
> +++ b/source4/torture/ldap/nested_search.c
> @@ -60,11 +60,13 @@ static int nested_search_callback(struct ldb_request
> *req,
> "defaultNamingContext",
> NULL
> };
> + int type;
>
> sctx = talloc_get_type(req->context, struct nested_search_context);
>
> + type = ares->type;
> /* sanity check */
> - switch (ares->type) {
> + switch (type) {
> case LDB_REPLY_ENTRY:
> torture_comment(sctx->tctx, "nested_search_callback:
> LDB_REPLY_ENTRY\n");
> ldb_msg = ares->message;
> @@ -89,7 +91,7 @@ static int nested_search_callback(struct ldb_request
> *req,
> }
>
> /* not a search reply, then get out */
> - if (ares->type != LDB_REPLY_ENTRY) {
> + if (type != LDB_REPLY_ENTRY) {
> return res;
> }
>
> --
> 2.1.0
>
>
More information about the samba-technical
mailing list