Blame SOURCES/0047-ifp-fix-use-after-free.patch

32a074
From 316b8cde698bd4586a70fc5ed50a70dedc4b424f Mon Sep 17 00:00:00 2001
32a074
From: Sumit Bose <sbose@redhat.com>
32a074
Date: Tue, 3 Nov 2020 10:12:15 +0100
32a074
Subject: [PATCH] ifp: fix use-after-free
32a074
MIME-Version: 1.0
32a074
Content-Type: text/plain; charset=UTF-8
32a074
Content-Transfer-Encoding: 8bit
32a074
32a074
The variable fqdn is pointing to some data from state->res->msgs[0]. But
32a074
before fqdn is used in the next search state->res and the memory
32a074
hierarchy below is freed. As a result the location where fqdn is pointing
32a074
to might hold the expected data or other data and the search will fail
32a074
intermittently.
32a074
32a074
Resolves: https://github.com/SSSD/sssd/issues/5382
32a074
32a074
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
32a074
(cherry picked from commit 81e757b7b1d69893b5725f9c148c55d89c779e7b)
32a074
---
32a074
 src/responder/ifp/ifpsrv_cmd.c | 1 +
32a074
 1 file changed, 1 insertion(+)
32a074
32a074
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
32a074
index ddb03f6b0..d83600681 100644
32a074
--- a/src/responder/ifp/ifpsrv_cmd.c
32a074
+++ b/src/responder/ifp/ifpsrv_cmd.c
32a074
@@ -124,6 +124,7 @@ ifp_user_get_attr_unpack_msg(struct ifp_attr_req *attr_req)
32a074
     if (attr_req->attrs == NULL) {
32a074
         return ENOMEM;
32a074
     }
32a074
+    fqdn = talloc_steal(state, fqdn);
32a074
 
32a074
     ai = 0;
32a074
     for (i = 0; i < nattrs; i++) {
32a074
-- 
32a074
2.21.3
32a074