Bug 12705 - Incorrect memory handling in server_id_db_lookup
Incorrect memory handling in server_id_db_lookup
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other
4.6.0
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-20 22:59 UTC by Andrew Bartlett
Modified: 2017-08-03 04:58 UTC (History)
2 users (show)

See Also:


Attachments
initial patch as sent the the mailing list (needs bug ids and other fixes) (29.33 KB, patch)
2017-03-20 22:59 UTC, Andrew Bartlett
no flags Details
patch cherry-picked from master for 4.6 (16.15 KB, patch)
2017-08-03 04:58 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2017-03-20 22:59:27 UTC
Created attachment 13099 [details]
initial patch as sent the the mailing list (needs bug ids and other fixes)

Due to a cast in server_id_db_lookup() strv_count() will walk off the end of a zero-length talloc pointer in search of the terminating NULL.

The patch as sent to the mailing list at https://lists.samba.org/archive/samba-technical/2017-March/119461.html is included for context.
Comment 1 Andrew Bartlett 2017-06-27 22:07:27 UTC
Fixed by e92a20781ca45b8696397cdef424fe8b92bee66b in master for Samba 4.7
Comment 2 Andrew Bartlett 2017-08-03 04:58:45 UTC
Created attachment 13445 [details]
patch cherry-picked from master for 4.6

This may be helpful to backport, so i have done the cherry-pick.

I had to manually handle the conflicts in the knownfail.