From 5f40a9615bf3223fc3089a4c436d6c20b19513fe Mon Sep 17 00:00:00 2001 From: Arvid Requate Date: Mon, 7 Feb 2022 18:00:03 +0100 Subject: [PATCH] Fix segfault in paged_results reproducable by varations of: ldbsearch -H /var/lib/samba/private/sam.ldb \ --controls=paged_results:1:1 \ '(!(anr==SomeSurname))' foo and other nested searches like '(|(foo=bar)(anr==SomeSurname))'. When the paged_results control is given, then paged_results code stores the req->op.search.tree in the private_data->store as paged_context. The old code attached the paged_context to the talloc pointer `req`, which seems to get freed after each request. When the paged_results module is called for subsequent result pages, it walks the private_data->store, to identify the current paged_context via cookie and then passes current->expr down to a new search. current->expr is a ldb_parse_tree, which, in case of `anr` has been constructed in the anr.c module. If that memory has been freed in between requests, then tree->u.list.num_elements is still 2 (as set by make_parse_list in anr.c), but tree->u.list.element[i] points to an undefined location. This causes a segfault during the next run of the resolve_oids module. Signed-off-by: Arvid Requate --- source4/dsdb/samdb/ldb_modules/paged_results.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git source4/dsdb/samdb/ldb_modules/paged_results.c source4/dsdb/samdb/ldb_modules/paged_results.c index 2063e84e157..7db93681163 100644 --- source4/dsdb/samdb/ldb_modules/paged_results.c +++ source4/dsdb/samdb/ldb_modules/paged_results.c @@ -656,7 +656,7 @@ static int paged_search(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION; } - ac = talloc_zero(req, struct paged_context); + ac = talloc_zero(private_data, struct paged_context); if (ac == NULL) { ldb_set_errstring(ldb, "Out of Memory"); return LDB_ERR_OPERATIONS_ERROR; -- 2.25.1