Bug 11563 - net ads (join|leave) -S INVALID segfaults with nss_wins
Summary: net ads (join|leave) -S INVALID segfaults with nss_wins
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.2.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-20 13:57 UTC by Andreas Schneider
Modified: 2017-07-16 22:35 UTC (History)
2 users (show)

See Also:

Attachments
patch for 4.2 (996 bytes, patch)
2015-10-27 11:11 UTC, Andreas Schneider 		vl: review+
Details
patch for 4.3 (980 bytes, patch)
2015-10-27 11:11 UTC, Andreas Schneider 		vl: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2015-10-20 13:57:44 UTC 
net ads (join|leave) -S can segfault if we cannot resolve a name till we reach the terminating NULL pointer.

Patch and test will follow.
Comment 1 Andreas Schneider 2015-10-21 09:13:48 UTC 
==8740== Invalid read of size 8
==8740==    at 0xABBC117: internal_resolve_name (namequery.c:2685)
==8740==    by 0xABBCBFB: resolve_name (namequery.c:2834)
==8740==    by 0x63AECBD: ads_connect (ldap.c:641)
==8740==    by 0x63AFABF: ads_connect_user_creds (ldap.c:776)
==8740==    by 0x7E21FA3: libnet_connect_ads (libnet_join.c:153)
==8740==    by 0x7E221B6: libnet_unjoin_connect_ads (libnet_join.c:209)
==8740==    by 0x7E23B42: libnet_DomainUnjoin (libnet_join.c:2464)
==8740==    by 0x7E23B42: libnet_Unjoin (libnet_join.c:2585)
==8740==    by 0x147986: net_ads_leave (net_ads.c:1004)
==8740==    by 0x14DDE3: net_ads (net_ads.c:3329)
==8740==    by 0x12C899: main (net.c:961)
==8740==  Address 0x1652f3d8 is 120 bytes inside a block of size 232 free'd
==8740==    at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==8740==    by 0xBD1F6E3: _talloc_free_internal (talloc.c:1063)
==8740==    by 0xBD1F6E3: _talloc_free (talloc.c:1594)
==8740==    by 0x82C3384: free_one_parameter_common.isra.1 (loadparm.c:371)
==8740==    by 0x82C9258: free_one_parameter_by_snum (loadparm.c:422)
==8740==    by 0x82C9258: free_parameters_by_snum (loadparm.c:434)
==8740==    by 0x82C9258: free_global_parameters (loadparm.c:444)
==8740==    by 0x82CD199: init_globals (loadparm.c:532)
==8740==    by 0x82CD2E0: lp_load_ex (loadparm.c:3655)
==8740==    by 0x82CDC83: lp_load (loadparm.c:3805)
==8740==    by 0x1D25B3D8: nss_wins_init (wins.c:56)
==8740==    by 0x1D25B3D8: lookup_byname_backend (wins.c:69)
==8740==    by 0x1D25B3D8: _nss_wins_gethostbyname_r (wins.c:303)
==8740==    by 0xCD1AAF1: gaih_inet (getaddrinfo.c:974)
==8740==    by 0xCD1D7AC: getaddrinfo (getaddrinfo.c:2419)
==8740==    by 0xABBC52E: resolve_hosts (namequery.c:2391)
==8740==    by 0xABBC52E: internal_resolve_name (namequery.c:2689)
==8740==    by 0xABBCBFB: resolve_name (namequery.c:2834)
==8740==    by 0x63AECBD: ads_connect (ldap.c:641)
==8740==    by 0x63AFABF: ads_connect_user_creds (ldap.c:776)
==8740==    by 0x7E21FA3: libnet_connect_ads (libnet_join.c:153)
==8740==    by 0x7E221B6: libnet_unjoin_connect_ads (libnet_join.c:209)
==8740==    by 0x7E23B42: libnet_DomainUnjoin (libnet_join.c:2464)
==8740==    by 0x7E23B42: libnet_Unjoin (libnet_join.c:2585)
==8740==    by 0x147986: net_ads_leave (net_ads.c:1004)
==8740==    by 0x14DDE3: net_ads (net_ads.c:3329)
==8740==    by 0x12C899: main (net.c:961)

nss_wins_init -> init_globals -> free_global_parameters

This frees the name_resolve_order string array so we are pointing to invalid memory.
Comment 2 Andreas Schneider 2015-10-27 11:11:07 UTC 
Created attachment 11538 [details]
patch for 4.2
Comment 3 Andreas Schneider 2015-10-27 11:11:28 UTC 
Created attachment 11539 [details]
patch for 4.3
Comment 4 Andreas Schneider 2015-11-16 10:41:38 UTC 
Karolin, please apply the patches to the relevant branches. Thanks!
Comment 5 Karolin Seeger 2015-11-17 11:19:31 UTC 
(In reply to Andreas Schneider from comment #4)
Pushed to autobuild-v4-[3|2]-test.
Comment 6 Karolin Seeger 2015-11-20 08:12:18 UTC 
(In reply to Karolin Seeger from comment #5)
Pushed to v4-3-test. Waiting for autobuild-v4-2-test...
Comment 7 Karolin Seeger 2015-11-23 11:28:39 UTC 
(In reply to Karolin Seeger from comment #6)
Pushed to both branches.
Closing out bug report.

Thanks!