[PATCH] Fix use after free in resolve_name()
Uri Simchoni
uri at samba.org
Fri Oct 23 07:13:27 UTC 2015
On 10/22/2015 03:13 PM, Andreas Schneider wrote:
> Subject: [PATCH 1/3] s3-libsmb: Fix invalid memory access to resolve order
> string list
>
> This make sure we do not end up accessing invalid memory because a samba
> nss module reinitializes the globals.
> Subject: [PATCH 1/3] s3-libsmb: Fix invalid memory access to resolve order
> string list
>
> This make sure we do not end up accessing invalid memory because a samba
> nss module reinitializes the globals.
Yikes! I tend to think of nss modules as canned components that just do
their thing. It's very surprising (in a negative way) when they're not.
Best thing would be to link libnss_wins.so statically with other samba
code, so that it would have its own copy of everything.
If that's not feasible, maybe what we should aim for is "if globals have
been initialized, don't reinitialize them". Maybe call
lp_load_global_no_reinit() from nss_wins?
After all, who knows what other surprises are hidden by this reinit?
Seems to me like the coding convention around lp_xxx() is that you can
pass it around down the stack but if you want to save it beyond this
call flow then you need your own copy.
(and, maybe that's the cue for nss_wins retirement plan? who uses wins
these days?)
> for (i=0; resolve_order[i]; i++) {
> tok = resolve_order[i];
> + if (tok == NULL) {
> + /* The last element is normally NULL, see above */
> + break;
> + }
>
I must be missing something - can't see how this extra check is ever
true. If it tok is NULL, the loop would have exited 2 lines above that,
wouldn't it?
Thanks,
Uri.
More information about the samba-technical
mailing list