From 1d14da7761efa278dcc4489b66667c7aa428786f Mon Sep 17 00:00:00 2001 From: Stefan Gohmann Date: Mon, 26 May 2014 22:46:28 +0200 Subject: [PATCH] s4:dsdb/common: samdb_result_parameters: fix bug in ldb_val to lsa_BinaryString conversation If the length of the attribute 'userParameters' is odd, the rpc_server got stuck. The backtrace from the log file: *** glibc detected *** /usr/sbin/samba: malloc(): memory corruption (fast): 0x00007f08dd7cf760 *** ======= Backtrace: ========= /lib/libc.so.6(+0x71e16)[0x7f08d7c90e16] /lib/libc.so.6(+0x7572d)[0x7f08d7c9472d] /lib/libc.so.6(__libc_malloc+0x70)[0x7f08d7c95c70] /usr/lib/libtalloc.so.2(_talloc_array+0x1f2)[0x7f08d83a0772] /usr/lib/libldb.so.1(ldb_unpack_data+0x2a4)[0x7f08d85b9b14] /usr/lib//ldb/modules/ldb/tdb.so(+0x640f)[0x7f08c2a0a40f] /usr/lib/libtdb.so.1(tdb_parse_record+0x77)[0x7f08d5c02e27] /usr/lib//ldb/modules/ldb/tdb.so(ltdb_search_dn1+0xa1)[0x7f08c2a0add1] /usr/lib//ldb/modules/ldb/tdb.so(ltdb_search_indexed+0x11a)[0x7f08c2a0d01a] /usr/lib//ldb/modules/ldb/tdb.so(ltdb_search+0x11a)[0x7f08c2a0a0ea] /usr/lib//ldb/modules/ldb/tdb.so(+0x5a98)[0x7f08c2a09a98] /usr/lib/libtevent.so.0(tevent_common_loop_timer_delay+0xe4)[0x7f08d7f89094] /usr/lib/libtevent.so.0(+0x8fcb)[0x7f08d7f89fcb] /usr/lib/libtevent.so.0(+0x76d6)[0x7f08d7f886d6] /usr/lib/libtevent.so.0(_tevent_loop_once+0x9d)[0x7f08d7f848bd] /usr/lib/libldb.so.1(ldb_wait+0xe5)[0x7f08d85c5195] /usr/lib//samba/libdsdb-module.so(dsdb_module_search_dn+0x1c0)[0x7f08c91ba6d0] /usr/lib//samba/libdsdb-module.so(dsdb_module_find_dsheuristics+0x79)[0x7f08c91ba8a9] /usr/lib//samba/libdsdb-module.so(dsdb_user_password_support+0x3b)[0x7f08c91ba96b] The attached patch fixed the issue for our customer environments. Stefan Signed-off-by: Stefan Gohmann --- source4/dsdb/common/util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 2aa6a6c..6d7bb74 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -721,7 +721,7 @@ struct lsa_BinaryString samdb_result_parameters(TALLOC_CTX *mem_ctx, return s; } - s.array = talloc_array(mem_ctx, uint16_t, val->length/2); + s.array = talloc_array(mem_ctx, uint16_t, (val->length + 1) / 2); if (!s.array) { return s; } -- 1.9.1