12705 – Incorrect memory handling in server_id_db_lookup

Bug 12705 - Incorrect memory handling in server_id_db_lookup

Summary: Incorrect memory handling in server_id_db_lookup

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	4.6.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-03-20 22:59 UTC by Andrew Bartlett
Modified:	2017-08-03 04:58 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
initial patch as sent the the mailing list (needs bug ids and other fixes) (29.33 KB, patch) 2017-03-20 22:59 UTC, Andrew Bartlett	no flags	Details
patch cherry-picked from master for 4.6 (16.15 KB, patch) 2017-08-03 04:58 UTC, Andrew Bartlett	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2017-03-20 22:59:27 UTC

Created attachment 13099 [details]
initial patch as sent the the mailing list (needs bug ids and other fixes)

Due to a cast in server_id_db_lookup() strv_count() will walk off the end of a zero-length talloc pointer in search of the terminating NULL.

The patch as sent to the mailing list at https://lists.samba.org/archive/samba-technical/2017-March/119461.html is included for context.

Comment 1 Andrew Bartlett 2017-06-27 22:07:27 UTC

Fixed by e92a20781ca45b8696397cdef424fe8b92bee66b in master for Samba 4.7

Comment 2 Andrew Bartlett 2017-08-03 04:58:45 UTC

Created attachment 13445 [details]
patch cherry-picked from master for 4.6

This may be helpful to backport, so i have done the cherry-pick.

I had to manually handle the conflicts in the knownfail.