[PATCH] libwbclient clear pointer on bad read
Matthew Newton
mcn4 at leicester.ac.uk
Thu Jan 8 08:59:48 MST 2015
Hi,
I've been working on trying to get FreeRADIUS to authenticate
using libwbclient rather than calling ntlm_auth. I've come across
a couple of things in libwbclient that don't seem right.
(Background to what I'm doing is here:
https://github.com/FreeRADIUS/freeradius-server/pull/848 )
In nsswitch/wb_common.c, in winbindd_read_reply: if
winbind_read_sock fails for some reason and returns -1 then it's
possible that some data could have actually been read. Therefore
the extra_data.data pointer can be set. The attached simple patch
moves clearing this pointer to above the return calls so that the
later free in the calling code won't ever crash out trying to free
an invalid pointer.
This patch is against v4-2-test, though I'm testing on Samba 3.6
(in Debian) which also needs the same patch.
The second slightly more major thing (and which triggers the above
really) is that the library isn't thread safe because it has two
global variables, winbindd_fd and is_privileged.
It looks like work was done in 2010 to make it mostly thread-safe (see
https://lists.samba.org/archive/samba-technical/2010-February/069226.html).
I guess the library just needs to somehow keep these two variables
local to the thread if compiled with pthreads?
Cheers,
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clear_response_extra_data.patch
Type: text/x-diff
Size: 1563 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150108/fa1c6c88/attachment.patch>
More information about the samba-technical
mailing list