|
 |
b833e0 |
From 3b158934cbb8f87cbfaf1650389b8dcd654b92ca Mon Sep 17 00:00:00 2001
|
|
|
b833e0 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
b833e0 |
Date: Thu, 19 Nov 2020 18:05:00 +0100
|
|
|
b833e0 |
Subject: [PATCH] ifp: fix original fix use-after-free
|
|
|
b833e0 |
|
|
|
b833e0 |
The original fix stole the fqdn too earlier. Only for SSS_DP_USER
|
|
|
b833e0 |
requests the steal is important. For other request where the first
|
|
|
b833e0 |
result is returned to the caller the original version
|
|
|
b833e0 |
might even cause issues since the name does not belong to the memory
|
|
|
b833e0 |
hierarchy of the result anymore.
|
|
|
b833e0 |
|
|
|
b833e0 |
Resolves: https://github.com/SSSD/sssd/issues/5382
|
|
|
b833e0 |
|
|
|
b833e0 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
b833e0 |
---
|
|
|
b833e0 |
src/responder/ifp/ifpsrv_cmd.c | 4 ++--
|
|
|
b833e0 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
b833e0 |
|
|
|
b833e0 |
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
|
|
|
b833e0 |
index d95618127..8cf1ec84c 100644
|
|
|
b833e0 |
--- a/src/responder/ifp/ifpsrv_cmd.c
|
|
|
b833e0 |
+++ b/src/responder/ifp/ifpsrv_cmd.c
|
|
|
b833e0 |
@@ -128,10 +128,10 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq)
|
|
|
b833e0 |
tevent_req_error(req, ERR_INTERNAL);
|
|
|
b833e0 |
return;
|
|
|
b833e0 |
}
|
|
|
b833e0 |
- fqdn = talloc_steal(state, fqdn);
|
|
|
b833e0 |
|
|
|
b833e0 |
if (state->search_type == SSS_DP_USER) {
|
|
|
b833e0 |
- /* throw away the result and perform attr search */
|
|
|
b833e0 |
+ /* throw away the result but keep the fqdn and perform attr search */
|
|
|
b833e0 |
+ fqdn = talloc_steal(state, fqdn);
|
|
|
b833e0 |
talloc_zfree(state->res);
|
|
|
b833e0 |
|
|
|
b833e0 |
ret = sysdb_get_user_attr_with_views(state, state->dom, fqdn,
|
|
|
b833e0 |
--
|
|
|
b833e0 |
2.21.3
|
|
|
b833e0 |
|