[PATCH] Fix use after free in resolve_name()

[Volker Lendecke]

On Fri, Oct 23, 2015 at 10:13:27AM +0300, Uri Simchoni wrote:
> 
> 
> On 10/22/2015 03:13 PM, Andreas Schneider wrote:
> >Subject: [PATCH 1/3] s3-libsmb: Fix invalid memory access to resolve order
> >  string list
> >
> >This make sure we do not end up accessing invalid memory because a samba
> >nss module reinitializes the globals.
> >Subject: [PATCH 1/3] s3-libsmb: Fix invalid memory access to resolve order
> >  string list
> >
> >This make sure we do not end up accessing invalid memory because a samba
> >nss module reinitializes the globals.
> Yikes! I tend to think of nss modules as canned components that just
> do their thing. It's very surprising (in a negative way) when
> they're not. Best thing would be to link libnss_wins.so statically
> with other samba code, so that it would have its own copy of
> everything.
> 
> If that's not feasible, maybe what we should aim for is "if globals
> have been initialized, don't reinitialize them". Maybe call
> lp_load_global_no_reinit() from nss_wins?
> 
> After all, who knows what other surprises are hidden by this reinit?
> Seems to me like the coding convention around lp_xxx() is that you
> can pass it around down the stack but if you want to save it beyond
> this call flow then you need your own copy.
> 
> (and, maybe that's the cue for nss_wins retirement plan? who uses
> wins these days?)

The real fix is to convert libnss_wins to use very simple
winbind calls. We just removed pam_smbpass for different
reasons.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

Besuchen Sie uns vom 10.-11.11.15 auf der ISSE!
Information Security Solutions Europe Conference
Hotel Palace Berlin, 20%-Rabattcode: "ISSE15SP"

Meet us at Information Security Conference ISSE!
November 10th - 11th 2015 in Hotel Palace Berlin
For 20% discount take voucher code:  "ISSE15SP"