From f7aef1e3ca5bdcddb6fb7c7e6556315faa96165d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 7 Aug 2013 13:01:09 +0200 Subject: Fix memory context for hash entries In sdap_nested_group_populate_users() username and orignal_dn are allocated on a temporary memory context. If the corresponding user is not found in the cache both are added to a hash which is later on returned to the caller. To avoid a use-after-free when the hash entries are looked up both must be reassigned to the memory context of the hash. --- src/providers/ldap/sdap_async_groups.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 9f667320a..a2e5106f0 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -2107,11 +2107,13 @@ static errno_t sdap_nested_group_populate_users(TALLOC_CTX *mem_ctx, if (ret != EOK) goto done; } else { key.type = HASH_KEY_STRING; - key.str = discard_const(original_dn); + key.str = talloc_steal(ghosts, discard_const(original_dn)); value.type = HASH_VALUE_PTR; - value.ptr = discard_const(username); + value.ptr = talloc_steal(ghosts, discard_const(username)); ret = hash_enter(ghosts, &key, &value); if (ret != HASH_SUCCESS) { + talloc_free(key.str); + talloc_free(value.ptr); ret = ENOMEM; goto done; } -- cgit