diff options
author | Lukas Slebodnik <lslebodn@redhat.com> | 2015-08-07 14:29:45 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-08-20 22:48:28 +0200 |
commit | b9901fe3d6cfe05cd75a2440c0f9c7985aea36c6 (patch) | |
tree | e604767d048125d6917d3cbf202085c1306a1659 | |
parent | 23fb01bf67a6058fb508da6d81515e8b18634beb (diff) | |
download | sssd-b9901fe3d6cfe05cd75a2440c0f9c7985aea36c6.tar.gz sssd-b9901fe3d6cfe05cd75a2440c0f9c7985aea36c6.tar.xz sssd-b9901fe3d6cfe05cd75a2440c0f9c7985aea36c6.zip |
NSS: Fix use after free
It can happed if there are two domains and user is not found
in the first one.
==29279== Invalid read of size 1
==29279== at 0x4C2CBA2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==29279== by 0x89A7AC4: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.2)
==29279== by 0x11668A: nss_cmd_initgroups_search (nsssrv_cmd.c:4191)
==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208)
==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759)
==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802)
==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96)
==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911)
==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114)
==29279== Address 0xbbad240 is 96 bytes inside a block of size 106 free'd
==29279== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==29279== by 0x89A46E3: _talloc_free (in /usr/lib64/libtalloc.so.2.1.2)
==29279== by 0x116679: nss_cmd_initgroups_search (nsssrv_cmd.c:4190)
==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208)
==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759)
==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802)
==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96)
==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911)
==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114)
Resolves:
https://fedorahosted.org/sssd/ticket/2749
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-rw-r--r-- | src/responder/nss/nsssrv_cmd.c | 6 | ||||
-rw-r--r-- | src/responder/nss/nsssrv_private.h | 1 |
2 files changed, 4 insertions, 3 deletions
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index e754245ea..43cdb135c 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -4143,7 +4143,7 @@ static int nss_cmd_initgr_send_reply(struct nss_dom_ctx *dctx) } ret = fill_initgr(cctx->creq->out, dctx->domain, dctx->res, nctx, - dctx->mc_name, cmdctx->name); + dctx->mc_name, cmdctx->normalized_name); if (ret) { return ret; } @@ -4187,14 +4187,14 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx) /* make sure to update the dctx if we changed domain */ dctx->domain = dom; - talloc_free(name); + talloc_zfree(cmdctx->normalized_name); name = sss_get_cased_name(dctx, cmdctx->name, dom->case_sensitive); if (!name) return ENOMEM; name = sss_reverse_replace_space(cmdctx, name, nctx->rctx->override_space); /* save name so it can be used in initgr reply */ - cmdctx->name = name; + cmdctx->normalized_name = name; if (name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "sss_reverse_replace_space failed\n"); diff --git a/src/responder/nss/nsssrv_private.h b/src/responder/nss/nsssrv_private.h index e5a2486f1..72f7b7560 100644 --- a/src/responder/nss/nsssrv_private.h +++ b/src/responder/nss/nsssrv_private.h @@ -31,6 +31,7 @@ struct nss_cmd_ctx { struct cli_ctx *cctx; enum sss_cli_command cmd; char *name; + const char *normalized_name; bool name_is_upn; uint32_t id; char *secid; |