Attachment 14172 Details for Bug 13420 – patch for master

[patch] patch for master

0001-s4-lsa-Fix-use-after-free-in-LSA-server.patch (text/plain), 1.48 KB, created by Andrew Bartlett on 2018-05-03 04:23:24 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2018-05-03 04:23:24 UTC

Size: 1.48 KB

patch

obsolete

>From 460921092ee01e9469c8521f73f13ebeebda4416 Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Thu, 3 May 2018 16:22:19 +1200
>Subject: [PATCH] s4-lsa: Fix use-after-free in LSA server
>
>This is a regression introduced in ab7988aa2fd1a43f576a4b73a6893c61c7ef1957.
>
>The state variable contains the data to be returned to the client
>and packed into NDR after the function returned.
>
>This memory needs to be kept (on mem_ctx as parent) until that is
>pushed and freed by the caller.
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>---
> source4/rpc_server/lsa/lsa_lookup.c | 3 ---
> 1 file changed, 3 deletions(-)
>
>diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c
>index becbcfc8b64..f7d367e9525 100644
>--- a/source4/rpc_server/lsa/lsa_lookup.c
>+++ b/source4/rpc_server/lsa/lsa_lookup.c
>@@ -805,7 +805,6 @@ NTSTATUS dcesrv_lsa_LookupSids(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
> 
> 	state->r.out.result = status;
> 	dcesrv_lsa_LookupSids_base_map(state);
>-	TALLOC_FREE(state);
> 	return status;
> }
> 
>@@ -1284,7 +1283,6 @@ NTSTATUS dcesrv_lsa_LookupNames3(struct dcesrv_call_state *dce_call,
> 
> 	state->r.out.result = status;
> 	dcesrv_lsa_LookupNames_base_map(state);
>-	TALLOC_FREE(state);
> 	return status;
> }
> 
>@@ -1357,7 +1355,6 @@ NTSTATUS dcesrv_lsa_LookupNames4(struct dcesrv_call_state *dce_call, TALLOC_CTX
> 
> 	state->r.out.result = status;
> 	dcesrv_lsa_LookupNames_base_map(state);
>-	TALLOC_FREE(state);
> 	return status;
> }
> 
>-- 
>2.11.0
>

Actions: View

Attachments on bug 13420: 14172 | 14174 | 14192 | 14195 | 14196 | 14198