dsdb: Correctly handle memory in objectclass_attrs

el->values is caller-provided memory that should be thought of as constant,
it should not be assumed to be a talloc context.

Otherwise, if the caller gives constant memory or a stack
pointer we will get an abort() in talloc when it expects
a talloc magic in the memory preceeding the el->values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14258

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3657bbc21182d764ddfcd603025f24ec240fd263)

1 files changed, 16 insertions, 1 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index 67c93ca08d8..438d39e2521 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -133,7 +133,16 @@ static int oc_auto_normalise(struct ldb_context *ldb, const struct dsdb_attribut
 	for (i=0; i<el->num_values; i++) {
 		struct ldb_val v;
 		int ret;
-		ret = attr->ldb_schema_attribute->syntax->canonicalise_fn(ldb, el->values, &el->values[i], &v);
+		/*
+		 * We use msg->elements (owned by this module due to
+		 * ldb_msg_copy_shallow()) as a memory context and
+		 * then steal from there to the right spot if we don't
+		 * free it.
+		 */
+		ret = attr->ldb_schema_attribute->syntax->canonicalise_fn(ldb,
+									  msg->elements,
+									  &el->values[i],
+									  &v);
 		if (ret != LDB_SUCCESS) {
 			return ret;
 		}
@@ -156,6 +165,12 @@ static int oc_auto_normalise(struct ldb_context *ldb, const struct dsdb_attribut
 		}
 
 		el->values[i] = v;
+
+		/*
+		 * By now el->values is a talloc pointer under
+		 * msg->elements and may now be used
+		 */
+		talloc_steal(el->values, v.data);
 	}
 	return LDB_SUCCESS;
 }