diff options
author | Lukas Slebodnik <lslebodn@redhat.com> | 2014-03-25 17:57:32 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-31 16:54:11 +0200 |
commit | a73c892cafebbeb4ee5a8167989174ceb4539ca7 (patch) | |
tree | 884ec494bc8eabf8c294551d340fa9d1b9301c92 | |
parent | 1c1693ee1a74f27caaef416d9dce5c14b0ad53f9 (diff) | |
download | sssd-a73c892cafebbeb4ee5a8167989174ceb4539ca7.tar.gz sssd-a73c892cafebbeb4ee5a8167989174ceb4539ca7.tar.xz sssd-a73c892cafebbeb4ee5a8167989174ceb4539ca7.zip |
IPA: Use function sysdb_attrs_get_el in safe way
Function sysdb_attrs_get_el can enlarge array of ldb_message_element in "struct
sysdb_attrs" if attribute is not among available attributes. Array will be
enlarged with function talloc_realloc but realloc can move array to another
place in memory therefore ldb_message_element should not be used after next
call of function sysdb_attrs_get_el
sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_USER, &user_found);
sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_HOST, &host_found);
With netgroups, it is common to omit user or host from netgroup triple.
There is very high probability that realloc will be called. it is possible
pointer user_found can refer to the old area after the second call of function
sysdb_attrs_get_el.
Resolves:
https://fedorahosted.org/sssd/ticket/2284
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit c048657aa2fbb246b5dc199ef6101bfd6e5eeaea)
-rw-r--r-- | src/providers/ipa/ipa_netgroups.c | 17 |
1 files changed, 7 insertions, 10 deletions
diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c index 0deb3944e..0ddc6bff4 100644 --- a/src/providers/ipa/ipa_netgroups.c +++ b/src/providers/ipa/ipa_netgroups.c @@ -294,9 +294,7 @@ static void ipa_get_netgroups_process(struct tevent_req *subreq) struct ipa_get_netgroups_state *state = tevent_req_data(req, struct ipa_get_netgroups_state); int i, ret; - struct ldb_message_element *ng_found; - struct ldb_message_element *host_found; - struct ldb_message_element *user_found; + struct ldb_message_element *el; struct sdap_search_base **netgr_bases; struct sysdb_attrs **netgroups; size_t netgroups_count; @@ -342,16 +340,19 @@ static void ipa_get_netgroups_process(struct tevent_req *subreq) for (i = 0; i < netgroups_count; i++) { ret = sysdb_attrs_get_el(netgroups[i], SYSDB_ORIG_NETGROUP_MEMBER, - &ng_found); + &el); if (ret != EOK) goto done; + if (el->num_values) state->entities_found |= ENTITY_NG; ret = sysdb_attrs_get_el(netgroups[i], SYSDB_ORIG_MEMBER_USER, - &user_found); + &el); if (ret != EOK) goto done; + if (el->num_values) state->entities_found |= ENTITY_USER; ret = sysdb_attrs_get_el(netgroups[i], SYSDB_ORIG_MEMBER_HOST, - &host_found); + &el); if (ret != EOK) goto done; + if (el->num_values) state->entities_found |= ENTITY_HOST; ret = sysdb_attrs_get_string(netgroups[i], SYSDB_ORIG_DN, &orig_dn); if (ret != EOK) { @@ -368,10 +369,6 @@ static void ipa_get_netgroups_process(struct tevent_req *subreq) goto done; } - if (ng_found->num_values) state->entities_found |= ENTITY_NG; - if (user_found->num_values) state->entities_found |= ENTITY_USER; - if (host_found->num_values) state->entities_found |= ENTITY_HOST; - if (state->entities_found == 0) { continue; } |