From b173ac586a688c2c3c6e75b02952e939fd0d4698 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 5 Aug 2021 13:30:41 +0200
Subject: CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()

We want to use this also in code without existing
stackframe.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 auth/auth_util.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'auth')

diff --git a/auth/auth_util.c b/auth/auth_util.c
index f3586f1fc1e..fe01babd107 100644
--- a/auth/auth_util.c
+++ b/auth/auth_util.c
@@ -26,26 +26,28 @@
 struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
 					    const struct auth_session_info *src)
 {
+	TALLOC_CTX *frame = talloc_stackframe();
 	struct auth_session_info *dst;
 	DATA_BLOB blob;
 	enum ndr_err_code ndr_err;
 
 	ndr_err = ndr_push_struct_blob(
 		&blob,
-		talloc_tos(),
+		frame,
 		src,
 		(ndr_push_flags_fn_t)ndr_push_auth_session_info);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		DBG_ERR("copy_session_info(): ndr_push_auth_session_info "
 			"failed: %s\n",
 			ndr_errstr(ndr_err));
+		TALLOC_FREE(frame);
 		return NULL;
 	}
 
 	dst = talloc(mem_ctx, struct auth_session_info);
 	if (dst == NULL) {
 		DBG_ERR("talloc failed\n");
-		TALLOC_FREE(blob.data);
+		TALLOC_FREE(frame);
 		return NULL;
 	}
 
@@ -54,15 +56,16 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
 		dst,
 		dst,
 		(ndr_pull_flags_fn_t)ndr_pull_auth_session_info);
-	TALLOC_FREE(blob.data);
 
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		DBG_ERR("copy_session_info(): ndr_pull_auth_session_info "
 			"failed: %s\n",
 			ndr_errstr(ndr_err));
 		TALLOC_FREE(dst);
+		TALLOC_FREE(frame);
 		return NULL;
 	}
 
+	TALLOC_FREE(frame);
 	return dst;
 }
-- 
cgit v1.2.1