From a73c892cafebbeb4ee5a8167989174ceb4539ca7 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 25 Mar 2014 17:57:32 +0100
Subject: IPA: Use function sysdb_attrs_get_el in safe way

Function sysdb_attrs_get_el can enlarge array of ldb_message_element in "struct
sysdb_attrs" if attribute is not among available attributes. Array will be
enlarged with function talloc_realloc but realloc can move array to another
place in memory therefore ldb_message_element should not be used after next
call of function sysdb_attrs_get_el

    sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_USER, &user_found);
    sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_HOST, &host_found);
With netgroups, it is common to omit user or host from netgroup triple.
There is very high probability that realloc will be called. it is possible
pointer user_found can refer to the old area after the second call of function
sysdb_attrs_get_el.

Resolves:
https://fedorahosted.org/sssd/ticket/2284

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit c048657aa2fbb246b5dc199ef6101bfd6e5eeaea)
---
 src/providers/ipa/ipa_netgroups.c | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index 0deb3944e..0ddc6bff4 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -294,9 +294,7 @@ static void ipa_get_netgroups_process(struct tevent_req *subreq)
     struct ipa_get_netgroups_state *state = tevent_req_data(req,
                                                struct ipa_get_netgroups_state);
     int i, ret;
-    struct ldb_message_element *ng_found;
-    struct ldb_message_element *host_found;
-    struct ldb_message_element *user_found;
+    struct ldb_message_element *el;
     struct sdap_search_base **netgr_bases;
     struct sysdb_attrs **netgroups;
     size_t netgroups_count;
@@ -342,16 +340,19 @@ static void ipa_get_netgroups_process(struct tevent_req *subreq)
 
     for (i = 0; i < netgroups_count; i++) {
         ret = sysdb_attrs_get_el(netgroups[i], SYSDB_ORIG_NETGROUP_MEMBER,
-                                 &ng_found);
+                                 &el);
         if (ret != EOK) goto done;
+        if (el->num_values) state->entities_found |= ENTITY_NG;
 
         ret = sysdb_attrs_get_el(netgroups[i], SYSDB_ORIG_MEMBER_USER,
-                                 &user_found);
+                                 &el);
         if (ret != EOK) goto done;
+        if (el->num_values) state->entities_found |= ENTITY_USER;
 
         ret = sysdb_attrs_get_el(netgroups[i], SYSDB_ORIG_MEMBER_HOST,
-                                 &host_found);
+                                 &el);
         if (ret != EOK) goto done;
+        if (el->num_values) state->entities_found |= ENTITY_HOST;
 
         ret = sysdb_attrs_get_string(netgroups[i], SYSDB_ORIG_DN, &orig_dn);
         if (ret != EOK) {
@@ -368,10 +369,6 @@ static void ipa_get_netgroups_process(struct tevent_req *subreq)
             goto done;
         }
 
-        if (ng_found->num_values) state->entities_found |= ENTITY_NG;
-        if (user_found->num_values) state->entities_found |= ENTITY_USER;
-        if (host_found->num_values) state->entities_found |= ENTITY_HOST;
-
         if (state->entities_found == 0) {
             continue;
         }
-- 
cgit