diff options
| author | Matthew Newton <mcn4@leicester.ac.uk> | 2015-01-08 15:11:15 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2015-01-09 21:21:07 +0100 |
| commit | 764cfda2804d036e418365ceac92c2cb8a07577a (patch) | |
| tree | de7d27921b3ce8da1d9f8dfa16c7b6bd90881aac /nsswitch | |
| parent | fb35a22b7aae07bce233d5539c5048b308271010 (diff) | |
| download | samba-764cfda2804d036e418365ceac92c2cb8a07577a.tar.gz | |
Make sure response->extra_data.data is always cleared out
Otherwise a bad read can sometimes cause the function to return -1 with
an invalid pointer in extra_data.data, which is attempted to be freed
by the caller (e.g. libwbclient/wbc_pam.c wbcAuthenticateUserEx())
by calling winbindd_free_response().
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'nsswitch')
| -rw-r--r-- | nsswitch/wb_common.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c index 44bfaf42ce7..3b67df03003 100644 --- a/nsswitch/wb_common.c +++ b/nsswitch/wb_common.c @@ -552,6 +552,13 @@ static int winbindd_read_reply(struct winbindd_response *response) result1 = winbind_read_sock(response, sizeof(struct winbindd_response)); + + /* We actually send the pointer value of the extra_data field from + the server. This has no meaning in the client's address space + so we clear it out. */ + + response->extra_data.data = NULL; + if (result1 == -1) { return -1; } @@ -560,12 +567,6 @@ static int winbindd_read_reply(struct winbindd_response *response) return -1; } - /* We actually send the pointer value of the extra_data field from - the server. This has no meaning in the client's address space - so we clear it out. */ - - response->extra_data.data = NULL; - /* Read variable length response */ if (response->length > sizeof(struct winbindd_response)) { |