dyndns: Fix talloc hierarchy of "struct sss_iface_addr"

Structure "struct sdap_dyndns_update_state" has two linked lists of
structures "struct sss_iface_addr": addresses, dns_addrlist

In *_recv functions, linked list was talloc stealed
to structure sss_iface_addr, but just 1st member was moved to "state" talloc
context. Other member of link list were freed with removing subrequest,
which caused use after free problem.

Resolves:
https://fedorahosted.org/sssd/ticket/2405

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 0060992d68ba843d4d90b491a1500b6290789a5c)

1 files changed, 9 insertions, 0 deletions

diff --git a/src/providers/dp_dyndns.c b/src/providers/dp_dyndns.c
index faeb47364..998cb054a 100644
--- a/src/providers/dp_dyndns.c
+++ b/src/providers/dp_dyndns.c
@@ -66,6 +66,9 @@ sss_iface_addr_add(TALLOC_CTX *mem_ctx, struct sss_iface_addr **list,
         talloc_zfree(address);
         return NULL;
     }
+
+    /* steal old dlist to the new head */
+    talloc_steal(address, *list);
     DLIST_ADD(*list, address);
 
     return address;
@@ -251,6 +254,9 @@ sss_iface_addr_list_get(TALLOC_CTX *mem_ctx, const char *ifname,
                 ret = ENOMEM;
                 goto done;
             }
+
+            /* steal old dlist to the new head */
+            talloc_steal(address, addrlist);
             DLIST_ADD(addrlist, address);
         }
     }
@@ -686,6 +692,9 @@ nsupdate_get_addrs_done(struct tevent_req *subreq)
         if (state->addrlist) {
             talloc_steal(state->addrlist, addr);
         }
+
+        /* steal old dlist to the new head */
+        talloc_steal(addr, state->addrlist);
         DLIST_ADD(state->addrlist, addr);
     }
     state->count += count;