diff options
| author | Gary Lockyer <gary@catalyst.net.nz> | 2020-05-13 10:56:56 +1200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2020-06-25 10:43:52 +0200 |
| commit | 9dd458956d7af1b4bbe505ba2ab72235e81c27d0 (patch) | |
| tree | cdfdb0b13cfaf6d2aaffc8cdf91a04920b8723e2 | |
| parent | b2658b9432c6a6a03b9da269da6ede701c8322fb (diff) | |
| download | samba-9dd458956d7af1b4bbe505ba2ab72235e81c27d0.tar.gz | |
CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice
Prevent use after free issues if ldb_lock_backend_callback is called
twice, usually due to ldb_module_done being called twice. This can happen if a
module ignores the return value from function a function that calls
ldb_module_done as part of it's error handling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | lib/ldb/common/ldb.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c index 8c86dca45a1..0fec89a52a8 100644 --- a/lib/ldb/common/ldb.c +++ b/lib/ldb/common/ldb.c @@ -1018,6 +1018,13 @@ static int ldb_lock_backend_callback(struct ldb_request *req, struct ldb_db_lock_context *lock_context; int ret; + if (req->context == NULL) { + /* + * The usual way to get here is to ignore the return codes + * and continuing processing after an error. + */ + abort(); + } lock_context = talloc_get_type(req->context, struct ldb_db_lock_context); @@ -1032,7 +1039,7 @@ static int ldb_lock_backend_callback(struct ldb_request *req, * If this is a LDB_REPLY_DONE or an error, unlock the * DB by calling the destructor on this context */ - talloc_free(lock_context); + TALLOC_FREE(req->context); return ret; } |