diff options
| author | Lukas Slebodnik <lslebodn@redhat.com> | 2015-01-24 09:17:35 -0500 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-30 11:37:10 +0100 |
| commit | 697d13aea5f6b020813111f1a50511cfc440f91c (patch) | |
| tree | fc21738ebd9c9b6fe6db4ee4a95f6ecddf682774 | |
| parent | dcb16038ac779186aebbd7d37caab3736cb01466 (diff) | |
| download | sssd-697d13aea5f6b020813111f1a50511cfc440f91c.tar.gz sssd-697d13aea5f6b020813111f1a50511cfc440f91c.tar.xz sssd-697d13aea5f6b020813111f1a50511cfc440f91c.zip | |
PROXY: Fix use after free
The dbus_req and associated talloc context are no longer valid after
execution of the function sbus_request_return_and_finish even if error code
was returned.
==32479== Invalid read of size 8
==32479== at 0x131F275F: client_registration (proxy_init.c:474)
==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69)
==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555)
==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907)
==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114)
==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530)
==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634)
==32479== by 0x89B5776: std_event_loop_wait (tevent_standard.c:140)
==32479== by 0x529E255: server_loop (server.c:668)
==32479== by 0x40DBC5: main (data_provider_be.c:2915)
==32479== Address 0xb700858 is 104 bytes inside a block of size 136 free'd
==32479== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32479== by 0x8BBE462: _talloc_free (in /usr/lib64/libtalloc.so.2.1.1)
==32479== by 0x52971A4: sbus_request_finish (sssd_dbus_request.c:95)
==32479== by 0x529731A: sbus_request_return_and_finish (sssd_dbus_request.c:119)
==32479== by 0x131F264D: client_registration (proxy_init.c:443)
==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69)
==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555)
==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907)
==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114)
==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530)
==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634)
Resolves:
https://fedorahosted.org/sssd/ticket/2573
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 33889b2ad764beb6b129f5211b1fab9790da8884)
(cherry picked from commit 31dd2a8c5042493b24ef4f9360139525c018bcb4)
| -rw-r--r-- | src/providers/proxy/proxy_init.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c index dd1b75826..c3a04fb08 100644 --- a/src/providers/proxy/proxy_init.c +++ b/src/providers/proxy/proxy_init.c @@ -452,7 +452,7 @@ static int client_registration(struct sbus_request *dbus_req, void *data) if (hret != HASH_SUCCESS) { DEBUG(SSSDBG_CRIT_FAILURE, "Hash error [%d][%s]\n", hret, hash_error_string(hret)); - sbus_disconnect(dbus_req->conn); + sbus_disconnect(conn); } /* Signal that the child is up and ready to receive the request */ @@ -471,7 +471,7 @@ static int client_registration(struct sbus_request *dbus_req, void *data) } init_ctx = tevent_req_data(child_ctx->init_req, struct pc_init_ctx); - init_ctx->conn = dbus_req->conn; + init_ctx->conn = conn; tevent_req_done(child_ctx->init_req); child_ctx->init_req = NULL; |