From 0060992d68ba843d4d90b491a1500b6290789a5c Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 20 Aug 2014 17:04:34 +0200 Subject: dyndns: Fix talloc hierarchy of "struct sss_iface_addr" Structure "struct sdap_dyndns_update_state" has two linked lists of structures "struct sss_iface_addr": addresses, dns_addrlist In *_recv functions, linked list was talloc stealed to structure sss_iface_addr, but just 1st member was moved to "state" talloc context. Other member of link list were freed with removing subrequest, which caused use after free problem. Resolves: https://fedorahosted.org/sssd/ticket/2405 Reviewed-by: Jakub Hrozek --- src/providers/dp_dyndns.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src/providers/dp_dyndns.c') diff --git a/src/providers/dp_dyndns.c b/src/providers/dp_dyndns.c index a12560ecd..31b452afe 100644 --- a/src/providers/dp_dyndns.c +++ b/src/providers/dp_dyndns.c @@ -66,6 +66,9 @@ sss_iface_addr_add(TALLOC_CTX *mem_ctx, struct sss_iface_addr **list, talloc_zfree(address); return NULL; } + + /* steal old dlist to the new head */ + talloc_steal(address, *list); DLIST_ADD(*list, address); return address; @@ -212,6 +215,9 @@ sss_iface_addr_list_get(TALLOC_CTX *mem_ctx, const char *ifname, ret = ENOMEM; goto done; } + + /* steal old dlist to the new head */ + talloc_steal(address, addrlist); DLIST_ADD(addrlist, address); } } @@ -650,6 +656,9 @@ nsupdate_get_addrs_done(struct tevent_req *subreq) if (state->addrlist) { talloc_steal(state->addrlist, addr); } + + /* steal old dlist to the new head */ + talloc_steal(addr, state->addrlist); DLIST_ADD(state->addrlist, addr); } state->count += count; -- cgit