The Samba-Bugzilla – Attachment 16180 Details for
Bug 12795
Remote crash after adding NS or MX records using samba-tool
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
the correct patch
updated-patches-for-bug-12795.patch (text/plain), 4.58 KB, created by
Douglas Bagnall
on 2020-08-21 05:32:25 UTC
(
hide
)
Description:
the correct patch
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2020-08-21 05:32:25 UTC
Size:
4.58 KB
patch
obsolete
>From c0aa1af3c3dcc68e8b0ea2bf2c0b75795064db05 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 21 Aug 2020 17:10:22 +1200 >Subject: [PATCH 1/2] s4: dns: Ensure variable initialization with NULL. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Ensure no use after free. > >Based on patches from Francis Brosnan Blázquez <francis@aspl.es> >and Jeremy Allison <jra@samba.org> > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > .../rpc_server/dnsserver/dcerpc_dnsserver.c | 24 ++++++++++--------- > 1 file changed, 13 insertions(+), 11 deletions(-) > >diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >index b6389f2328a..ec610168266 100644 >--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >@@ -1759,15 +1759,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, > TALLOC_CTX *tmp_ctx; > char *name; > const char * const attrs[] = { "name", "dnsRecord", NULL }; >- struct ldb_result *res; >- struct DNS_RPC_RECORDS_ARRAY *recs; >+ struct ldb_result *res = NULL; >+ struct DNS_RPC_RECORDS_ARRAY *recs = NULL; > char **add_names = NULL; >- char *rname; >+ char *rname = NULL; > const char *preference_name = NULL; > int add_count = 0; > int i, ret, len; > WERROR status; >- struct dns_tree *tree, *base, *node; >+ struct dns_tree *tree = NULL; >+ struct dns_tree *base = NULL; >+ struct dns_tree *node = NULL; > > tmp_ctx = talloc_new(mem_ctx); > W_ERROR_HAVE_NO_MEMORY(tmp_ctx); >@@ -1850,9 +1852,9 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, > } > } > >- talloc_free(res); >- talloc_free(tree); >- talloc_free(name); >+ TALLOC_FREE(res); >+ TALLOC_FREE(tree); >+ TALLOC_FREE(name); > > /* Add any additional records */ > if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) { >@@ -1870,14 +1872,14 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, > LDB_SCOPE_ONELEVEL, attrs, > "(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))", > encoded_name); >- talloc_free(name); >+ TALLOC_FREE(name); > if (ret != LDB_SUCCESS) { > continue; > } > if (res->count == 1) { > break; > } else { >- talloc_free(res); >+ TALLOC_FREE(res); > continue; > } > } >@@ -1892,8 +1894,8 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, > select_flag, rname, > res->msgs[0], 0, recs, > NULL, NULL); >- talloc_free(rname); >- talloc_free(res); >+ TALLOC_FREE(rname); >+ TALLOC_FREE(res); > if (!W_ERROR_IS_OK(status)) { > talloc_free(tmp_ctx); > return status; >-- >2.20.1 > > >From 44f52bf42c224ab42882645e81d40ad1d8b28ce1 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 21 Aug 2020 17:23:17 +1200 >Subject: [PATCH 2/2] s4/dns: do not crash when additional data not found >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Found by Francis Brosnan Blázquez <francis@aspl.es>. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > >diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >index ec610168266..88efc01f154 100644 >--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >@@ -1859,8 +1859,8 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, > /* Add any additional records */ > if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) { > for (i=0; i<add_count; i++) { >- struct dnsserver_zone *z2; >- >+ struct dnsserver_zone *z2 = NULL; >+ struct ldb_message *msg = NULL; > /* Search all the available zones for additional name */ > for (z2 = dsstate->zones; z2; z2 = z2->next) { > char *encoded_name; >@@ -1877,6 +1877,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, > continue; > } > if (res->count == 1) { >+ msg = res->msgs[0]; > break; > } else { > TALLOC_FREE(res); >@@ -1892,7 +1893,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, > } > status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A, > select_flag, rname, >- res->msgs[0], 0, recs, >+ msg, 0, recs, > NULL, NULL); > TALLOC_FREE(rname); > TALLOC_FREE(res); >-- >2.20.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16180">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
dbagnall
:
review?
(
abartlet
)
Actions:
View
Attachments on
bug 12795
:
13228
|
13229
|
13290
|
13291
|
16179
| 16180