[PATCH] Fix use after free in resolve_name()
Andreas Schneider
asn at samba.org
Fri Oct 23 09:59:37 UTC 2015
On Friday 23 October 2015 10:13:27 Uri Simchoni wrote:
> On 10/22/2015 03:13 PM, Andreas Schneider wrote:
> > Subject: [PATCH 1/3] s3-libsmb: Fix invalid memory access to resolve order
> >
> > string list
> >
> > This make sure we do not end up accessing invalid memory because a samba
> > nss module reinitializes the globals.
> > Subject: [PATCH 1/3] s3-libsmb: Fix invalid memory access to resolve order
> >
> > string list
> >
> > This make sure we do not end up accessing invalid memory because a samba
> > nss module reinitializes the globals.
>
> Yikes! I tend to think of nss modules as canned components that just do
> their thing. It's very surprising (in a negative way) when they're not.
> Best thing would be to link libnss_wins.so statically with other samba
> code, so that it would have its own copy of everything.
>
> If that's not feasible, maybe what we should aim for is "if globals have
> been initialized, don't reinitialize them". Maybe call
> lp_load_global_no_reinit() from nss_wins?
Maybe that't the right thing to do here.
>
> After all, who knows what other surprises are hidden by this reinit?
> Seems to me like the coding convention around lp_xxx() is that you can
> pass it around down the stack but if you want to save it beyond this
> call flow then you need your own copy.
>
> (and, maybe that's the cue for nss_wins retirement plan? who uses wins
> these days?)
>
> > for (i=0; resolve_order[i]; i++) {
> >
> > tok = resolve_order[i];
> >
> > + if (tok == NULL) {
> > + /* The last element is normally NULL, see above */
> > + break;
> > + }
>
> I must be missing something - can't see how this extra check is ever
> true. If it tok is NULL, the loop would have exited 2 lines above that,
> wouldn't it?
Yes, you're right. If we would use
for (i=0; resolve_order[i] != NULL; i++)
I would probably have seen it :)
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list