From 47bc2d6639c41da1e5bac37eb4af3559bbc0e10e Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 8 Apr 2014 10:56:22 +0200
Subject: krb5_child: Fix use after free in debug message

debug_prg_name is used in debug_fn and it was allocated under
talloc context "kr". The variable "kr" was removed before the last debug
messages in function main. It is very little change that it will be overridden.
It is possible to see this issue with exported environment variable
TALLOC_FREE_FILL=255

Reviewed-by: Sumit Bose <sbose@redhat.com>
---
 src/providers/krb5/krb5_child.c | 26 +++++++++++++++-----------
 src/providers/ldap/ldap_child.c |  1 +
 2 files changed, 16 insertions(+), 11 deletions(-)

(limited to 'src')

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index c243d063b..81f86bbe8 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1999,14 +1999,9 @@ int main(int argc, const char *argv[])
 
     DEBUG_INIT(debug_level);
 
-    kr = talloc_zero(NULL, struct krb5_req);
-    if (kr == NULL) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
-        exit(-1);
-    }
-
-    debug_prg_name = talloc_asprintf(kr, "[sssd[krb5_child[%d]]]", getpid());
+    debug_prg_name = talloc_asprintf(NULL, "[sssd[krb5_child[%d]]]", getpid());
     if (!debug_prg_name) {
+        debug_prg_name = "[sssd[krb5_child]]";
         DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
         ret = ENOMEM;
         goto done;
@@ -2021,6 +2016,14 @@ int main(int argc, const char *argv[])
 
     DEBUG(SSSDBG_TRACE_FUNC, "krb5_child started.\n");
 
+    kr = talloc_zero(NULL, struct krb5_req);
+    if (kr == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
+        ret = ENOMEM;
+        goto done;
+    }
+    talloc_steal(kr, debug_prg_name);
+
     ret = k5c_recv_data(kr, STDIN_FILENO, &offline);
     if (ret != EOK) {
         goto done;
@@ -2079,13 +2082,14 @@ int main(int argc, const char *argv[])
     }
 
 done:
-    krb5_cleanup(kr);
-    talloc_free(kr);
     if (ret == EOK) {
         DEBUG(SSSDBG_TRACE_FUNC, "krb5_child completed successfully\n");
-        exit(0);
+        ret = 0;
     } else {
         DEBUG(SSSDBG_CRIT_FAILURE, "krb5_child failed!\n");
-        exit(-1);
+        ret = -1;
     }
+    krb5_cleanup(kr);
+    talloc_free(kr);
+    exit(ret);
 }
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 34f23ec80..0e5e1614a 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -462,6 +462,7 @@ int main(int argc, const char *argv[])
 
     debug_prg_name = talloc_asprintf(NULL, "[sssd[ldap_child[%d]]]", getpid());
     if (!debug_prg_name) {
+        debug_prg_name = "[sssd[ldap_child]]";
         DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
         goto fail;
     }
-- 
cgit