From 3b158934cbb8f87cbfaf1650389b8dcd654b92ca Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 19 Nov 2020 18:05:00 +0100 Subject: [PATCH] ifp: fix original fix use-after-free The original fix stole the fqdn too earlier. Only for SSS_DP_USER requests the steal is important. For other request where the first result is returned to the caller the original version might even cause issues since the name does not belong to the memory hierarchy of the result anymore. Resolves: https://github.com/SSSD/sssd/issues/5382 Reviewed-by: Alexey Tikhonov --- src/responder/ifp/ifpsrv_cmd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c index d95618127..8cf1ec84c 100644 --- a/src/responder/ifp/ifpsrv_cmd.c +++ b/src/responder/ifp/ifpsrv_cmd.c @@ -128,10 +128,10 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq) tevent_req_error(req, ERR_INTERNAL); return; } - fqdn = talloc_steal(state, fqdn); if (state->search_type == SSS_DP_USER) { - /* throw away the result and perform attr search */ + /* throw away the result but keep the fqdn and perform attr search */ + fqdn = talloc_steal(state, fqdn); talloc_zfree(state->res); ret = sysdb_get_user_attr_with_views(state, state->dom, fqdn, -- 2.21.3