diff options
author | Lukas Slebodnik <lslebodn@redhat.com> | 2014-04-08 10:56:22 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-04-08 14:12:23 +0200 |
commit | 47bc2d6639c41da1e5bac37eb4af3559bbc0e10e (patch) | |
tree | 0bc82e199cf373bead318d8d32d768d446e26da0 /src/providers | |
parent | dce1791fc357bebf938f9af93d7e0ec72ac7f719 (diff) | |
download | sssd-47bc2d6639c41da1e5bac37eb4af3559bbc0e10e.tar.gz sssd-47bc2d6639c41da1e5bac37eb4af3559bbc0e10e.tar.xz sssd-47bc2d6639c41da1e5bac37eb4af3559bbc0e10e.zip |
krb5_child: Fix use after free in debug message
debug_prg_name is used in debug_fn and it was allocated under
talloc context "kr". The variable "kr" was removed before the last debug
messages in function main. It is very little change that it will be overridden.
It is possible to see this issue with exported environment variable
TALLOC_FREE_FILL=255
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/krb5/krb5_child.c | 26 | ||||
-rw-r--r-- | src/providers/ldap/ldap_child.c | 1 |
2 files changed, 16 insertions, 11 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index c243d063b..81f86bbe8 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1999,14 +1999,9 @@ int main(int argc, const char *argv[]) DEBUG_INIT(debug_level); - kr = talloc_zero(NULL, struct krb5_req); - if (kr == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); - exit(-1); - } - - debug_prg_name = talloc_asprintf(kr, "[sssd[krb5_child[%d]]]", getpid()); + debug_prg_name = talloc_asprintf(NULL, "[sssd[krb5_child[%d]]]", getpid()); if (!debug_prg_name) { + debug_prg_name = "[sssd[krb5_child]]"; DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); ret = ENOMEM; goto done; @@ -2021,6 +2016,14 @@ int main(int argc, const char *argv[]) DEBUG(SSSDBG_TRACE_FUNC, "krb5_child started.\n"); + kr = talloc_zero(NULL, struct krb5_req); + if (kr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + ret = ENOMEM; + goto done; + } + talloc_steal(kr, debug_prg_name); + ret = k5c_recv_data(kr, STDIN_FILENO, &offline); if (ret != EOK) { goto done; @@ -2079,13 +2082,14 @@ int main(int argc, const char *argv[]) } done: - krb5_cleanup(kr); - talloc_free(kr); if (ret == EOK) { DEBUG(SSSDBG_TRACE_FUNC, "krb5_child completed successfully\n"); - exit(0); + ret = 0; } else { DEBUG(SSSDBG_CRIT_FAILURE, "krb5_child failed!\n"); - exit(-1); + ret = -1; } + krb5_cleanup(kr); + talloc_free(kr); + exit(ret); } diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index 34f23ec80..0e5e1614a 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -462,6 +462,7 @@ int main(int argc, const char *argv[]) debug_prg_name = talloc_asprintf(NULL, "[sssd[ldap_child[%d]]]", getpid()); if (!debug_prg_name) { + debug_prg_name = "[sssd[ldap_child]]"; DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); goto fail; } |