summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLukas Slebodnik <lslebodn@redhat.com>2014-03-25 17:57:32 +0100
committerJakub Hrozek <jhrozek@redhat.com>2014-03-31 16:54:11 +0200
commita73c892cafebbeb4ee5a8167989174ceb4539ca7 (patch)
tree884ec494bc8eabf8c294551d340fa9d1b9301c92
parent1c1693ee1a74f27caaef416d9dce5c14b0ad53f9 (diff)
downloadsssd-a73c892cafebbeb4ee5a8167989174ceb4539ca7.tar.gz
sssd-a73c892cafebbeb4ee5a8167989174ceb4539ca7.tar.xz
sssd-a73c892cafebbeb4ee5a8167989174ceb4539ca7.zip
IPA: Use function sysdb_attrs_get_el in safe way
Function sysdb_attrs_get_el can enlarge array of ldb_message_element in "struct sysdb_attrs" if attribute is not among available attributes. Array will be enlarged with function talloc_realloc but realloc can move array to another place in memory therefore ldb_message_element should not be used after next call of function sysdb_attrs_get_el sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_USER, &user_found); sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_HOST, &host_found); With netgroups, it is common to omit user or host from netgroup triple. There is very high probability that realloc will be called. it is possible pointer user_found can refer to the old area after the second call of function sysdb_attrs_get_el. Resolves: https://fedorahosted.org/sssd/ticket/2284 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit c048657aa2fbb246b5dc199ef6101bfd6e5eeaea)
-rw-r--r--src/providers/ipa/ipa_netgroups.c17
1 files changed, 7 insertions, 10 deletions
diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index 0deb3944e..0ddc6bff4 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -294,9 +294,7 @@ static void ipa_get_netgroups_process(struct tevent_req *subreq)
struct ipa_get_netgroups_state *state = tevent_req_data(req,
struct ipa_get_netgroups_state);
int i, ret;
- struct ldb_message_element *ng_found;
- struct ldb_message_element *host_found;
- struct ldb_message_element *user_found;
+ struct ldb_message_element *el;
struct sdap_search_base **netgr_bases;
struct sysdb_attrs **netgroups;
size_t netgroups_count;
@@ -342,16 +340,19 @@ static void ipa_get_netgroups_process(struct tevent_req *subreq)
for (i = 0; i < netgroups_count; i++) {
ret = sysdb_attrs_get_el(netgroups[i], SYSDB_ORIG_NETGROUP_MEMBER,
- &ng_found);
+ &el);
if (ret != EOK) goto done;
+ if (el->num_values) state->entities_found |= ENTITY_NG;
ret = sysdb_attrs_get_el(netgroups[i], SYSDB_ORIG_MEMBER_USER,
- &user_found);
+ &el);
if (ret != EOK) goto done;
+ if (el->num_values) state->entities_found |= ENTITY_USER;
ret = sysdb_attrs_get_el(netgroups[i], SYSDB_ORIG_MEMBER_HOST,
- &host_found);
+ &el);
if (ret != EOK) goto done;
+ if (el->num_values) state->entities_found |= ENTITY_HOST;
ret = sysdb_attrs_get_string(netgroups[i], SYSDB_ORIG_DN, &orig_dn);
if (ret != EOK) {
@@ -368,10 +369,6 @@ static void ipa_get_netgroups_process(struct tevent_req *subreq)
goto done;
}
- if (ng_found->num_values) state->entities_found |= ENTITY_NG;
- if (user_found->num_values) state->entities_found |= ENTITY_USER;
- if (host_found->num_values) state->entities_found |= ENTITY_HOST;
-
if (state->entities_found == 0) {
continue;
}