Fixing serious memory allocation bug in sbus_message_handler.

dbus_message_append_args() adds a reference to memory that is not copied to the outgoing message until dbus_connection_send() is called. Since we compile our reply messages in functions and then return the reply, we need a mechanism for deleting allocated memory after invoking dbus_connection_send. I have changed the arguments to sbus_msg_handler_fn so that it takes a talloc ctx containing the sbus_message_handler_ctx and a pointer to a reply object. We can now allocate memory as a child of the reply context and free it after calling dbus_connection_send.
author: Stephen Gallagher <sgallagh@redhat.com> 2009-02-23 15:43:31 -0500
committer: Simo Sorce <idra@samba.org> 2009-02-23 16:20:52 -0500
commit: 13421cbe0af4343f9d110600755ffa756690b282 (patch)
tree: fab749d3fd49148ec62d7d664c933fb40b36d9a9 /server/sbus
parent: f8469b71247b5a41cfdf0f54c25ceda1552e0ee9 (diff)
download: sssd-13421cbe0af4343f9d110600755ffa756690b282.tar.gz
sssd-13421cbe0af4343f9d110600755ffa756690b282.tar.xz
sssd-13421cbe0af4343f9d110600755ffa756690b282.zip
2 files changed, 29 insertions, 11 deletions
diff --git a/server/sbus/sssd_dbus.h b/server/sbus/sssd_dbus.h
index c75bbc937..bc65e3146 100644
--- a/server/sbus/sssd_dbus.h
+++ b/server/sbus/sssd_dbus.h
@@ -27,7 +27,8 @@ struct sbus_srv_ctx;
 
 #include "dbus/dbus.h"
 
-typedef int (*sbus_msg_handler_fn)(DBusMessage *, void *, DBusMessage **);
+struct sbus_message_ctx;
+typedef int (*sbus_msg_handler_fn)(DBusMessage *, struct sbus_message_ctx *);
 
 /*
  * sbus_conn_destructor_fn
@@ -71,6 +72,11 @@ struct sbus_message_handler_ctx {
     struct sbus_method_ctx *method_ctx;
 };
 
+struct sbus_message_ctx {
+    struct sbus_message_handler_ctx *mh_ctx;
+    DBusMessage *reply_message;
+};
+
 /* Server Functions */
 int sbus_new_server(TALLOC_CTX *mem_ctx,
                     struct event_context *ev, struct sbus_method_ctx *ctx,
diff --git a/server/sbus/sssd_dbus_connection.c b/server/sbus/sssd_dbus_connection.c
index d02dc6c85..186df3563 100644
--- a/server/sbus/sssd_dbus_connection.c
+++ b/server/sbus/sssd_dbus_connection.c
@@ -483,7 +483,7 @@ DBusHandlerResult sbus_message_handler(DBusConnection *conn,
     const char *method;
     const char *path;
     const char *msg_interface;
-    DBusMessage *reply = NULL;
+    struct sbus_message_ctx *reply = NULL;
     int i, ret;
     int found;
 
@@ -503,14 +503,22 @@ DBusHandlerResult sbus_message_handler(DBusConnection *conn,
     if (strcmp(path, ctx->method_ctx->path) != 0)
         return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
 
+    reply = talloc_zero(ctx, struct sbus_message_ctx);
+    if (!reply) return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+    reply->mh_ctx = ctx;
+    reply->reply_message = NULL;
+
     /* Validate the method interface */
     if (strcmp(msg_interface, ctx->method_ctx->interface) == 0) {
         found = 0;
         for (i = 0; ctx->method_ctx->methods[i].method != NULL; i++) {
             if (strcmp(method, ctx->method_ctx->methods[i].method) == 0) {
                 found = 1;
-                ret = ctx->method_ctx->methods[i].fn(message, ctx, &reply);
-                if (ret != EOK) return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+                ret = ctx->method_ctx->methods[i].fn(message, reply);
+                if (ret != EOK) {
+                    talloc_free(reply);
+                    return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+                }
                 break;
             }
         }
@@ -518,7 +526,7 @@ DBusHandlerResult sbus_message_handler(DBusConnection *conn,
         if (!found) {
             /* Reply DBUS_ERROR_UNKNOWN_METHOD */
             DEBUG(1, ("No matching method found for %s.\n", method));
-            reply = dbus_message_new_error(message, DBUS_ERROR_UNKNOWN_METHOD, NULL);
+            reply->reply_message = dbus_message_new_error(message, DBUS_ERROR_UNKNOWN_METHOD, NULL);
         }
     }
     else {
@@ -532,20 +540,24 @@ DBusHandlerResult sbus_message_handler(DBusConnection *conn,
                 /* If we have been asked for introspection data and we have
                  * an introspection function registered, user that.
                  */
-                ret = ctx->method_ctx->introspect_fn(message, ctx, &reply);
-                if (ret != EOK) return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+                ret = ctx->method_ctx->introspect_fn(message, reply);
+                if (ret != EOK) {
+                    talloc_free(reply);
+                    return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+                }
             }
         }
         else
             return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
     }
 
-    DEBUG(5, ("Method %s complete. Reply was %ssent.\n", method, reply?"":"not "));
+    DEBUG(5, ("Method %s complete. Reply was %ssent.\n", method, reply->reply_message?"":"not "));
 
-    if (reply) {
-        dbus_connection_send(conn, reply, NULL);
-        dbus_message_unref(reply);
+    if (reply->reply_message) {
+        dbus_connection_send(conn, reply->reply_message, NULL);
+        dbus_message_unref(reply->reply_message);
     }
+    talloc_free(reply);
 
     return DBUS_HANDLER_RESULT_HANDLED;
 }
author	Stephen Gallagher <sgallagh@redhat.com>	2009-02-23 15:43:31 -0500
committer	Simo Sorce <idra@samba.org>	2009-02-23 16:20:52 -0500
commit	13421cbe0af4343f9d110600755ffa756690b282 (patch)
tree	fab749d3fd49148ec62d7d664c933fb40b36d9a9 /server/sbus
parent	f8469b71247b5a41cfdf0f54c25ceda1552e0ee9 (diff)
download	sssd-13421cbe0af4343f9d110600755ffa756690b282.tar.gz sssd-13421cbe0af4343f9d110600755ffa756690b282.tar.xz sssd-13421cbe0af4343f9d110600755ffa756690b282.zip