Attachment 16179 Details for Bug 12795 – updated patch

[patch] updated patch

updated-patches-for-bug-12795.patch (text/plain), 7.44 KB, created by Douglas Bagnall on 2020-08-21 05:30:15 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Douglas Bagnall

Created: 2020-08-21 05:30:15 UTC

Size: 7.44 KB

patch

obsolete

>From acae1428d8fc839e7c7f66d1b02dd17e6e5a9a67 Mon Sep 17 00:00:00 2001
>From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>Date: Wed, 22 May 2019 10:33:15 +1200
>Subject: [PATCH 1/4] tests/vlv: remove redundant assignments
>
>Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>---
> source4/dsdb/tests/python/vlv.py | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
>diff --git a/source4/dsdb/tests/python/vlv.py b/source4/dsdb/tests/python/vlv.py
>index 90a29ab6ec2..b068f8edae3 100644
>--- a/source4/dsdb/tests/python/vlv.py
>+++ b/source4/dsdb/tests/python/vlv.py
>@@ -510,10 +510,8 @@ class VLVTests(VLVTestsBase):
>                 random.shuffle(gte_tests)
>                 res = None
>                 sort_control = "server_sort:1:0:%s" % attr
>-
>                 expected_order = self.get_expected_order(attr, expression)
>-                sort_control = "server_sort:1:0:%s" % attr
>-                res = None
>+
>                 for before in range(0, 11):
>                     after = before
>                     for gte in gte_tests:
>-- 
>2.20.1
>
>
>From 2e899fbc1d13f5a380b9c22e0bd7f85e86ce24e9 Mon Sep 17 00:00:00 2001
>From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>Date: Wed, 22 May 2019 10:32:29 +1200
>Subject: [PATCH 2/4] tests/vlv: attempt to cause trouble by changing sort
> attribute
>
>Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>---
> source4/dsdb/tests/python/vlv.py | 23 +++++++++++++++++++++++
> 1 file changed, 23 insertions(+)
>
>diff --git a/source4/dsdb/tests/python/vlv.py b/source4/dsdb/tests/python/vlv.py
>index b068f8edae3..86ac2b72240 100644
>--- a/source4/dsdb/tests/python/vlv.py
>+++ b/source4/dsdb/tests/python/vlv.py
>@@ -1216,6 +1216,29 @@ class VLVTests(VLVTestsBase):
>         expected_results = [r for r in full_results if r != del_user[attr]]
>         self.assertEqual(results, expected_results)
> 
>+    def test_vlv_change_during_search(self):
>+        attr = 'facsimileTelephoneNumber'
>+        prefix = "change_during_search_"
>+        expr = "(&(objectClass=user)(cn=%s*))" % (prefix)
>+        num_users = 3
>+        users = [self.create_user(i, num_users, prefix=prefix)
>+                 for i in range(num_users)]
>+        expr = "(&(objectClass=user)(facsimileTelephoneNumber=%s*))" % (prefix)
>+
>+        # Start the VLV, change the searched attribute and try the
>+        # cookie.
>+        results, cookie = self.vlv_search(attr, expr)
>+
>+        for u in users:
>+            self.ldb.modify_ldif("dn: %s\n"
>+                                 "changetype: modify\n"
>+                                 "replace: facsimileTelephoneNumber\n"
>+                                 "facsimileTelephoneNumber: 123" % u['dn'])
>+
>+        for i in range(2):
>+            results, cookie = self.vlv_search(attr, expr, cookie=cookie,
>+                                              offset=i+1)
>+
> 
> 
> class PagedResultsTests(TestsWithUserOU):
>-- 
>2.20.1
>
>
>From c0aa1af3c3dcc68e8b0ea2bf2c0b75795064db05 Mon Sep 17 00:00:00 2001
>From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>Date: Fri, 21 Aug 2020 17:10:22 +1200
>Subject: [PATCH 3/4] s4: dns: Ensure variable initialization with NULL.
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>Ensure no use after free.
>
>Based on patches from Francis Brosnan BlÃ¡zquez <francis@aspl.es>
>and Jeremy Allison <jra@samba.org>
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795
>
>Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>---
> .../rpc_server/dnsserver/dcerpc_dnsserver.c   | 24 ++++++++++---------
> 1 file changed, 13 insertions(+), 11 deletions(-)
>
>diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
>index b6389f2328a..ec610168266 100644
>--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
>+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
>@@ -1759,15 +1759,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
> 	TALLOC_CTX *tmp_ctx;
> 	char *name;
> 	const char * const attrs[] = { "name", "dnsRecord", NULL };
>-	struct ldb_result *res;
>-	struct DNS_RPC_RECORDS_ARRAY *recs;
>+	struct ldb_result *res = NULL;
>+	struct DNS_RPC_RECORDS_ARRAY *recs = NULL;
> 	char **add_names = NULL;
>-	char *rname;
>+	char *rname = NULL;
> 	const char *preference_name = NULL;
> 	int add_count = 0;
> 	int i, ret, len;
> 	WERROR status;
>-	struct dns_tree *tree, *base, *node;
>+	struct dns_tree *tree = NULL;
>+	struct dns_tree *base = NULL;
>+	struct dns_tree *node = NULL;
> 
> 	tmp_ctx = talloc_new(mem_ctx);
> 	W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
>@@ -1850,9 +1852,9 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
> 		}
> 	}
> 
>-	talloc_free(res);
>-	talloc_free(tree);
>-	talloc_free(name);
>+	TALLOC_FREE(res);
>+	TALLOC_FREE(tree);
>+	TALLOC_FREE(name);
> 
> 	/* Add any additional records */
> 	if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {
>@@ -1870,14 +1872,14 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
> 						LDB_SCOPE_ONELEVEL, attrs,
> 						"(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))",
> 						encoded_name);
>-				talloc_free(name);
>+				TALLOC_FREE(name);
> 				if (ret != LDB_SUCCESS) {
> 					continue;
> 				}
> 				if (res->count == 1) {
> 					break;
> 				} else {
>-					talloc_free(res);
>+					TALLOC_FREE(res);
> 					continue;
> 				}
> 			}
>@@ -1892,8 +1894,8 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
> 							select_flag, rname,
> 							res->msgs[0], 0, recs,
> 							NULL, NULL);
>-			talloc_free(rname);
>-			talloc_free(res);
>+			TALLOC_FREE(rname);
>+			TALLOC_FREE(res);
> 			if (!W_ERROR_IS_OK(status)) {
> 				talloc_free(tmp_ctx);
> 				return status;
>-- 
>2.20.1
>
>
>From 44f52bf42c224ab42882645e81d40ad1d8b28ce1 Mon Sep 17 00:00:00 2001
>From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>Date: Fri, 21 Aug 2020 17:23:17 +1200
>Subject: [PATCH 4/4] s4/dns: do not crash when additional data not found
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>Found by Francis Brosnan BlÃ¡zquez <francis@aspl.es>.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795
>Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>---
> source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
>diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
>index ec610168266..88efc01f154 100644
>--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
>+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
>@@ -1859,8 +1859,8 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
> 	/* Add any additional records */
> 	if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {
> 		for (i=0; i<add_count; i++) {
>-			struct dnsserver_zone *z2;
>-
>+			struct dnsserver_zone *z2 = NULL;
>+			struct ldb_message *msg = NULL;
> 			/* Search all the available zones for additional name */
> 			for (z2 = dsstate->zones; z2; z2 = z2->next) {
> 				char *encoded_name;
>@@ -1877,6 +1877,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
> 					continue;
> 				}
> 				if (res->count == 1) {
>+					msg = res->msgs[0];
> 					break;
> 				} else {
> 					TALLOC_FREE(res);
>@@ -1892,7 +1893,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
> 			}
> 			status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A,
> 							select_flag, rname,
>-							res->msgs[0], 0, recs,
>+							msg, 0, recs,
> 							NULL, NULL);
> 			TALLOC_FREE(rname);
> 			TALLOC_FREE(res);
>-- 
>2.20.1
>

Actions: View

Attachments on bug 12795: 13228 | 13229 | 13290 | 13291 | 16179 | 16180