diff options
| author | Pavel Březina <pbrezina@redhat.com> | 2015-10-26 11:28:36 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-10-30 11:50:03 +0100 |
| commit | 2341c8ccfe6225ee4ac5904c177a9200ba617a04 (patch) | |
| tree | e987518a9721e95d1ce10c8075d2603e1f735d50 | |
| parent | 55345aa1aaf1df23e5dfe8d584663f9fe6c4aeb9 (diff) | |
| download | sssd-2341c8ccfe6225ee4ac5904c177a9200ba617a04.tar.gz sssd-2341c8ccfe6225ee4ac5904c177a9200ba617a04.tar.xz sssd-2341c8ccfe6225ee4ac5904c177a9200ba617a04.zip | |
sss_override: do not free ldb_dn in get_object_dn()
When only str_dn is requested, ldb_dn is freed. This triggers access
after free since str_dn is part of ldb_dn talloc context.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
| -rw-r--r-- | src/tools/sss_override.c | 38 |
1 files changed, 29 insertions, 9 deletions
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c index 091e1a8ef..c8f1413b5 100644 --- a/src/tools/sss_override.c +++ b/src/tools/sss_override.c @@ -581,35 +581,55 @@ static errno_t get_object_dn(TALLOC_CTX *mem_ctx, struct ldb_dn **_ldb_dn, const char **_str_dn) { + TALLOC_CTX *tmp_ctx; struct ldb_dn *ldb_dn; + const char *str_dn; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } switch (type) { case SYSDB_MEMBER_USER: - ldb_dn = sysdb_user_dn(mem_ctx, domain, name); + ldb_dn = sysdb_user_dn(tmp_ctx, domain, name); break; case SYSDB_MEMBER_GROUP: - ldb_dn = sysdb_group_dn(mem_ctx, domain, name); + ldb_dn = sysdb_group_dn(tmp_ctx, domain, name); break; default: DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported member type %d\n", type); - return ERR_INTERNAL; + ret = ERR_INTERNAL; + goto done; } if (ldb_dn == NULL) { - return ENOMEM; + ret = ENOMEM; + goto done; } if (_str_dn != NULL) { - *_str_dn = ldb_dn_get_linearized(ldb_dn); + str_dn = talloc_strdup(tmp_ctx, ldb_dn_get_linearized(ldb_dn)); + if (str_dn == NULL) { + ret = ENOMEM; + goto done; + } + + *_str_dn = talloc_steal(mem_ctx, str_dn); } if (_ldb_dn != NULL) { - *_ldb_dn = ldb_dn; - } else { - talloc_free(ldb_dn); + *_ldb_dn = talloc_steal(mem_ctx, ldb_dn); } - return EOK; + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; } static errno_t override_object_add(struct sss_domain_info *domain, |