[PATCH] Fix use after free in resolve_name()
Andreas Schneider
asn at samba.org
Fri Oct 23 15:58:12 UTC 2015
On Friday 23 October 2015 10:23:20 Volker Lendecke wrote:
> On Fri, Oct 23, 2015 at 10:13:27AM +0300, Uri Simchoni wrote:
> > On 10/22/2015 03:13 PM, Andreas Schneider wrote:
> > >Subject: [PATCH 1/3] s3-libsmb: Fix invalid memory access to resolve
> > >order
> > >
> > > string list
> > >
> > >This make sure we do not end up accessing invalid memory because a samba
> > >nss module reinitializes the globals.
> > >Subject: [PATCH 1/3] s3-libsmb: Fix invalid memory access to resolve
> > >order
> > >
> > > string list
> > >
> > >This make sure we do not end up accessing invalid memory because a samba
> > >nss module reinitializes the globals.
> >
> > Yikes! I tend to think of nss modules as canned components that just
> > do their thing. It's very surprising (in a negative way) when
> > they're not. Best thing would be to link libnss_wins.so statically
> > with other samba code, so that it would have its own copy of
> > everything.
> >
> > If that's not feasible, maybe what we should aim for is "if globals
> > have been initialized, don't reinitialize them". Maybe call
> > lp_load_global_no_reinit() from nss_wins?
> >
> > After all, who knows what other surprises are hidden by this reinit?
> > Seems to me like the coding convention around lp_xxx() is that you
> > can pass it around down the stack but if you want to save it beyond
> > this call flow then you need your own copy.
> >
> > (and, maybe that's the cue for nss_wins retirement plan? who uses
> > wins these days?)
>
> The real fix is to convert libnss_wins to use very simple
> winbind calls. We just removed pam_smbpass for different
> reasons.
https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-nss_wins
Work in progress. Not testet yet ...
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list