The Samba-Bugzilla – Attachment 16943 Details for
Bug 14725
[SECURITY] Andrew's Kerberos Concerns (November 9 2021)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to fix use-after-free regression on top of the combined v12 patchsets (all versions)
security-2021-11-bug14725-fix.patch (text/plain), 1.86 KB, created by
Jo Sutton
on 2021-11-04 04:12:57 UTC
(
hide
)
Description:
Patch to fix use-after-free regression on top of the combined v12 patchsets (all versions)
Filename:
MIME Type:
Creator:
Jo Sutton
Created:
2021-11-04 04:12:57 UTC
Size:
1.86 KB
patch
obsolete
>From 39b9e399cae2d6a51e8793fbf7b74e56271d9fcf Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 4 Nov 2021 16:26:09 +1300 >Subject: [PATCH] CVE-2020-25722 s4/dsdb/samldb: Fix use-after-free in > check_spn_write_rights() > >Ensure that we don't use del_el after it has been invalidated by the >second call to ldb_msg_add_empty(), which performs a talloc_realloc(). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > source4/dsdb/samdb/ldb_modules/samldb.c | 19 +++++++++++-------- > 1 file changed, 11 insertions(+), 8 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c >index 022dbc0c3cc..db3883eb527 100644 >--- a/source4/dsdb/samdb/ldb_modules/samldb.c >+++ b/source4/dsdb/samdb/ldb_modules/samldb.c >@@ -3688,6 +3688,16 @@ static int check_spn_write_rights(struct ldb_context *ldb, > talloc_free(msg); > return ret; > } >+ >+ del_el->values = talloc_array(msg->elements, struct ldb_val, 1); >+ if (del_el->values == NULL) { >+ talloc_free(msg); >+ return ret; >+ } >+ >+ del_el->values[0] = val; >+ del_el->num_values = 1; >+ > ret = ldb_msg_add_empty(msg, > "servicePrincipalName", > LDB_FLAG_MOD_ADD, >@@ -3697,22 +3707,15 @@ static int check_spn_write_rights(struct ldb_context *ldb, > return ret; > } > >- del_el->values = talloc_array(msg->elements, struct ldb_val, 1); >- if (del_el->values == NULL) { >- talloc_free(msg); >- return ret; >- } >- > add_el->values = talloc_array(msg->elements, struct ldb_val, 1); > if (add_el->values == NULL) { > talloc_free(msg); > return ret; > } > >- del_el->values[0] = val; >- del_el->num_values = 1; > add_el->values[0] = val; > add_el->num_values = 1; >+ > ret = ldb_modify(ldb, msg); > if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) { > DBG_ERR("hmm I think we're OK, but not sure\n"); >-- >2.31.1.362.g311531c9de >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16943">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review+
metze
:
ci-passed+
Actions:
View
Attachments on
bug 14725
:
16930
|
16931
|
16932
|
16933
| 16943 |
16944
|
16945
|
16946
|
16947
|
16949
|
16950
|
16973
|
16982
|
16983
|
17431
|
17432