Blame SOURCES/CVE-2020-10730.patch

0da57a
From 3bdc110e167d7e0f20022dea48ec51b1f46369cb Mon Sep 17 00:00:00 2001
0da57a
From: Gary Lockyer <gary@catalyst.net.nz>
0da57a
Date: Wed, 13 May 2020 10:56:56 +1200
0da57a
Subject: [PATCH 10/11] CVE-2020-10730: lib ldb: Check if
0da57a
 ldb_lock_backend_callback called twice
0da57a
0da57a
Prevent use after free issues if ldb_lock_backend_callback is called
0da57a
twice, usually due to ldb_module_done being called twice. This can happen if a
0da57a
module ignores the return value from function a function that calls
0da57a
ldb_module_done as part of it's error handling.
0da57a
0da57a
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
0da57a
0da57a
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
0da57a
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
0da57a
---
0da57a
 lib/ldb/common/ldb.c | 9 ++++++++-
0da57a
 1 file changed, 8 insertions(+), 1 deletion(-)
0da57a
0da57a
diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c
0da57a
index 44a487ba987..090d41dde69 100644
0da57a
--- a/lib/ldb/common/ldb.c
0da57a
+++ b/lib/ldb/common/ldb.c
0da57a
@@ -1009,6 +1009,13 @@ static int ldb_lock_backend_callback(struct ldb_request *req,
0da57a
 	struct ldb_db_lock_context *lock_context;
0da57a
 	int ret;
0da57a
 
0da57a
+	if (req->context == NULL) {
0da57a
+		/*
0da57a
+		 * The usual way to get here is to ignore the return codes
0da57a
+		 * and continuing processing after an error.
0da57a
+		 */
0da57a
+		abort();
0da57a
+	}
0da57a
 	lock_context = talloc_get_type(req->context,
0da57a
 				       struct ldb_db_lock_context);
0da57a
 
0da57a
@@ -1023,7 +1030,7 @@ static int ldb_lock_backend_callback(struct ldb_request *req,
0da57a
 		 * If this is a LDB_REPLY_DONE or an error, unlock the
0da57a
 		 * DB by calling the destructor on this context
0da57a
 		 */
0da57a
-		talloc_free(lock_context);
0da57a
+		TALLOC_FREE(req->context);
0da57a
 		return ret;
0da57a
 	}
0da57a
 
0da57a
-- 
0da57a
2.17.1