|
 |
b2d430 |
From 0bb66d94542920870effa808861c0c20180111ba Mon Sep 17 00:00:00 2001
|
|
|
b2d430 |
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
|
b2d430 |
Date: Tue, 2 Aug 2016 15:20:19 +0200
|
|
|
b2d430 |
Subject: [PATCH 69/74] SYSDB: Sanitize dn in
|
|
|
b2d430 |
sysdb_get_user_members_recursively
|
|
|
b2d430 |
MIME-Version: 1.0
|
|
|
b2d430 |
Content-Type: text/plain; charset=UTF-8
|
|
|
b2d430 |
Content-Transfer-Encoding: 8bit
|
|
|
b2d430 |
|
|
|
b2d430 |
There was a crash in nss responder when a group contained
|
|
|
b2d430 |
a user with special charactes which shoudl be sanitized before
|
|
|
b2d430 |
using in filter.
|
|
|
b2d430 |
|
|
|
b2d430 |
==31651== Conditional jump or move depends on uninitialised value(s)
|
|
|
b2d430 |
==31651== at 0x8BEA7DE: _talloc_steal_loc (talloc.c:1215)
|
|
|
b2d430 |
==31651== by 0x5264889: sysdb_get_user_members_recursively (sysdb_ops.c:4759)
|
|
|
b2d430 |
==31651== by 0x5278F61: sysdb_add_group_member_overrides (sysdb_views.c:1375)
|
|
|
b2d430 |
==31651== by 0x526677C: sysdb_getgrnam_with_views (sysdb_search.c:799)
|
|
|
b2d430 |
==31651== by 0x1172F6: nss_cmd_getgrnam_search (nsssrv_cmd.c:3168)
|
|
|
b2d430 |
==31651== by 0x119C67: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1382)
|
|
|
b2d430 |
==31651== by 0x10FD14: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:916)
|
|
|
b2d430 |
==31651== by 0x12898B: sss_dp_internal_get_done (responder_dp.c:791)
|
|
|
b2d430 |
==31651== by 0x58FF861: complete_pending_call_and_unlock (dbus-connection.c:2314)
|
|
|
b2d430 |
==31651== by 0x5902B50: dbus_connection_dispatch (dbus-connection.c:4580)
|
|
|
b2d430 |
==31651== by 0x527F261: sbus_dispatch (sssd_dbus_connection.c:96)
|
|
|
b2d430 |
==31651== by 0x89D8B4E: tevent_common_loop_timer_delay (tevent_timed.c:341)
|
|
|
b2d430 |
|
|
|
b2d430 |
Resolves:
|
|
|
b2d430 |
https://fedorahosted.org/sssd/ticket/3121
|
|
|
b2d430 |
|
|
|
b2d430 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
b2d430 |
---
|
|
|
b2d430 |
src/db/sysdb_ops.c | 12 +++++++++++-
|
|
|
b2d430 |
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
b2d430 |
|
|
|
b2d430 |
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
|
|
b2d430 |
index ed177d1730723a61e01167a75a0baca6d81252f8..342e16fb20e2c418745b137162425509ca1fd0cb 100644
|
|
|
b2d430 |
--- a/src/db/sysdb_ops.c
|
|
|
b2d430 |
+++ b/src/db/sysdb_ops.c
|
|
|
b2d430 |
@@ -4722,6 +4722,7 @@ errno_t sysdb_get_user_members_recursively(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
struct ldb_result *res;
|
|
|
b2d430 |
struct ldb_dn *base_dn;
|
|
|
b2d430 |
char *filter;
|
|
|
b2d430 |
+ char *sanitized_name;
|
|
|
b2d430 |
const char *attrs[] = SYSDB_PW_ATTRS;
|
|
|
b2d430 |
struct ldb_message **msgs;
|
|
|
b2d430 |
|
|
|
b2d430 |
@@ -4737,8 +4738,17 @@ errno_t sysdb_get_user_members_recursively(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
+ ret = sss_filter_sanitize(tmp_ctx, ldb_dn_get_linearized(group_dn),
|
|
|
b2d430 |
+ &sanitized_name);
|
|
|
b2d430 |
+ if (ret != EOK) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
b2d430 |
+ "Failed to sanitize the given name:'%s'.\n",
|
|
|
b2d430 |
+ ldb_dn_get_linearized(group_dn));
|
|
|
b2d430 |
+ goto done;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+
|
|
|
b2d430 |
filter = talloc_asprintf(tmp_ctx, "(&("SYSDB_UC")("SYSDB_MEMBEROF"=%s))",
|
|
|
b2d430 |
- ldb_dn_get_linearized(group_dn));
|
|
|
b2d430 |
+ sanitized_name);
|
|
|
b2d430 |
if (filter == NULL) {
|
|
|
b2d430 |
DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
|
|
b2d430 |
ret = ENOMEM;
|
|
|
b2d430 |
--
|
|
|
b2d430 |
2.4.11
|
|
|
b2d430 |
|