|
 |
6cf099 |
From ddcdb9ecfbbfb7e3ce57c7b97eefa3e59b5a0e78 Mon Sep 17 00:00:00 2001
|
|
|
6cf099 |
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
|
6cf099 |
Date: Fri, 7 Aug 2015 14:29:45 +0200
|
|
|
6cf099 |
Subject: [PATCH 66/66] NSS: Fix use after free
|
|
|
6cf099 |
|
|
|
6cf099 |
It can happed if there are two domains and user is not found
|
|
|
6cf099 |
in the first one.
|
|
|
6cf099 |
|
|
|
6cf099 |
==29279== Invalid read of size 1
|
|
|
6cf099 |
==29279== at 0x4C2CBA2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
|
|
|
6cf099 |
==29279== by 0x89A7AC4: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.2)
|
|
|
6cf099 |
==29279== by 0x11668A: nss_cmd_initgroups_search (nsssrv_cmd.c:4191)
|
|
|
6cf099 |
==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208)
|
|
|
6cf099 |
==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759)
|
|
|
6cf099 |
==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802)
|
|
|
6cf099 |
==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
|
|
|
6cf099 |
==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
|
|
|
6cf099 |
==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96)
|
|
|
6cf099 |
==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341)
|
|
|
6cf099 |
==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911)
|
|
|
6cf099 |
==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114)
|
|
|
6cf099 |
==29279== Address 0xbbad240 is 96 bytes inside a block of size 106 free'd
|
|
|
6cf099 |
==29279== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
|
|
|
6cf099 |
==29279== by 0x89A46E3: _talloc_free (in /usr/lib64/libtalloc.so.2.1.2)
|
|
|
6cf099 |
==29279== by 0x116679: nss_cmd_initgroups_search (nsssrv_cmd.c:4190)
|
|
|
6cf099 |
==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208)
|
|
|
6cf099 |
==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759)
|
|
|
6cf099 |
==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802)
|
|
|
6cf099 |
==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
|
|
|
6cf099 |
==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
|
|
|
6cf099 |
==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96)
|
|
|
6cf099 |
==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341)
|
|
|
6cf099 |
==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911)
|
|
|
6cf099 |
==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114)
|
|
|
6cf099 |
|
|
|
6cf099 |
Resolves:
|
|
|
6cf099 |
https://fedorahosted.org/sssd/ticket/2749
|
|
|
6cf099 |
|
|
|
6cf099 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
6cf099 |
---
|
|
|
6cf099 |
src/responder/nss/nsssrv_cmd.c | 6 +++---
|
|
|
6cf099 |
src/responder/nss/nsssrv_private.h | 1 +
|
|
|
6cf099 |
2 files changed, 4 insertions(+), 3 deletions(-)
|
|
|
6cf099 |
|
|
|
6cf099 |
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
|
|
|
6cf099 |
index aa64432d51f15ed17212b8c40eebf5c9322bc784..459634b8d7a590a196ad47a17cd52729fc633ee2 100644
|
|
|
6cf099 |
--- a/src/responder/nss/nsssrv_cmd.c
|
|
|
6cf099 |
+++ b/src/responder/nss/nsssrv_cmd.c
|
|
|
6cf099 |
@@ -4107,7 +4107,7 @@ static int nss_cmd_initgr_send_reply(struct nss_dom_ctx *dctx)
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
ret = fill_initgr(cctx->creq->out, dctx->domain, dctx->res, nctx,
|
|
|
6cf099 |
- dctx->mc_name, cmdctx->name);
|
|
|
6cf099 |
+ dctx->mc_name, cmdctx->normalized_name);
|
|
|
6cf099 |
if (ret) {
|
|
|
6cf099 |
return ret;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
@@ -4151,14 +4151,14 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
|
|
|
6cf099 |
/* make sure to update the dctx if we changed domain */
|
|
|
6cf099 |
dctx->domain = dom;
|
|
|
6cf099 |
|
|
|
6cf099 |
- talloc_free(name);
|
|
|
6cf099 |
+ talloc_zfree(cmdctx->normalized_name);
|
|
|
6cf099 |
name = sss_get_cased_name(dctx, cmdctx->name, dom->case_sensitive);
|
|
|
6cf099 |
if (!name) return ENOMEM;
|
|
|
6cf099 |
|
|
|
6cf099 |
name = sss_reverse_replace_space(cmdctx, name,
|
|
|
6cf099 |
nctx->rctx->override_space);
|
|
|
6cf099 |
/* save name so it can be used in initgr reply */
|
|
|
6cf099 |
- cmdctx->name = name;
|
|
|
6cf099 |
+ cmdctx->normalized_name = name;
|
|
|
6cf099 |
if (name == NULL) {
|
|
|
6cf099 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
6cf099 |
"sss_reverse_replace_space failed\n");
|
|
|
6cf099 |
diff --git a/src/responder/nss/nsssrv_private.h b/src/responder/nss/nsssrv_private.h
|
|
|
6cf099 |
index e5a2486f1fb9a8de39ec90f802f596b2c2f6af7f..72f7b75604567f9b95937018e54ba2d60b771f9b 100644
|
|
|
6cf099 |
--- a/src/responder/nss/nsssrv_private.h
|
|
|
6cf099 |
+++ b/src/responder/nss/nsssrv_private.h
|
|
|
6cf099 |
@@ -31,6 +31,7 @@ struct nss_cmd_ctx {
|
|
|
6cf099 |
struct cli_ctx *cctx;
|
|
|
6cf099 |
enum sss_cli_command cmd;
|
|
|
6cf099 |
char *name;
|
|
|
6cf099 |
+ const char *normalized_name;
|
|
|
6cf099 |
bool name_is_upn;
|
|
|
6cf099 |
uint32_t id;
|
|
|
6cf099 |
char *secid;
|
|
|
6cf099 |
--
|
|
|
6cf099 |
2.4.3
|
|
|
6cf099 |
|