diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-09-13 11:15:17 +1200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2021-10-28 08:58:16 +0000 |
| commit | 0c36416e319e307022d11a915a4ac508c0ab2eea (patch) | |
| tree | 1f420db3fe467b698d5978783f15e6d9c5fd0744 | |
| parent | 400d04533ab3525f29721dffa137faf096c274e8 (diff) | |
| download | samba-0c36416e319e307022d11a915a4ac508c0ab2eea.tar.gz | |
pyldb: Avoid use-after-free in msg_diff()
Make a deep copy of the message elements in msg_diff() so that if either
of the input messages are deallocated early, the result does not refer
to non-existing elements.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14645
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
[abartlet@samba.org backported from commit
19a2af02f57d99db8ed3c6b028c3abdf4b553700 due to conflicts in
the knownfail.d/python-segfaults file]
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Sep 29 13:14:22 UTC 2021 on sn-devel-184
| -rw-r--r-- | lib/ldb/pyldb.c | 18 | ||||
| -rw-r--r-- | selftest/knownfail.d/python-segfaults | 1 |
2 files changed, 16 insertions, 3 deletions
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index 813cdb0870e..443b677c2c4 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -1804,6 +1804,7 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args) struct ldb_message *diff; struct ldb_context *ldb; PyObject *py_ret; + TALLOC_CTX *mem_ctx = NULL; if (!PyArg_ParseTuple(args, "OO", &py_msg_old, &py_msg_new)) return NULL; @@ -1818,19 +1819,32 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args) return NULL; } + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } + ldb = pyldb_Ldb_AS_LDBCONTEXT(self); - ldb_ret = ldb_msg_difference(ldb, ldb, + ldb_ret = ldb_msg_difference(ldb, mem_ctx, pyldb_Message_AsMessage(py_msg_old), pyldb_Message_AsMessage(py_msg_new), &diff); if (ldb_ret != LDB_SUCCESS) { + talloc_free(mem_ctx); PyErr_SetString(PyExc_RuntimeError, "Failed to generate the Ldb Message diff"); return NULL; } + diff = ldb_msg_copy(mem_ctx, diff); + if (diff == NULL) { + PyErr_NoMemory(); + return NULL; + } + py_ret = PyLdbMessage_FromMessage(diff); - talloc_unlink(ldb, diff); + talloc_free(mem_ctx); return py_ret; } diff --git a/selftest/knownfail.d/python-segfaults b/selftest/knownfail.d/python-segfaults index b7229fc7229..1be0566dcb1 100644 --- a/selftest/knownfail.d/python-segfaults +++ b/selftest/knownfail.d/python-segfaults @@ -1,2 +1 @@ samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__3 -samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_ldb_msg_diff |