From 316b8cde698bd4586a70fc5ed50a70dedc4b424f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 3 Nov 2020 10:12:15 +0100
Subject: [PATCH] ifp: fix use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The variable fqdn is pointing to some data from state->res->msgs[0]. But
before fqdn is used in the next search state->res and the memory
hierarchy below is freed. As a result the location where fqdn is pointing
to might hold the expected data or other data and the search will fail
intermittently.

Resolves: https://github.com/SSSD/sssd/issues/5382

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 81e757b7b1d69893b5725f9c148c55d89c779e7b)
---
 src/responder/ifp/ifpsrv_cmd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
index ddb03f6b0..d83600681 100644
--- a/src/responder/ifp/ifpsrv_cmd.c
+++ b/src/responder/ifp/ifpsrv_cmd.c
@@ -124,6 +124,7 @@ ifp_user_get_attr_unpack_msg(struct ifp_attr_req *attr_req)
     if (attr_req->attrs == NULL) {
         return ENOMEM;
     }
+    fqdn = talloc_steal(state, fqdn);
 
     ai = 0;
     for (i = 0; i < nattrs; i++) {
-- 
2.21.3