commit ab7988aa2fd1a43f576a4b73a6893c61c7ef1957 Author: Stefan Metzmacher <metze@samba.org> Date: Fri Jan 19 13:42:40 2018 +0100 s4:rpc_server/lsa: prepare dcesrv_lsa_LookupSids* for async processing Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Introduced a use-after-free as the state variable contains the data to be returned to the client and packed into NDR after the function returned. This memory needs to be kept (on mem_ctx as parent) until that is pushed and freed by the caller.
Created attachment 14172 [details] patch for master
(In reply to Andrew Bartlett from comment #0) Can you please upload backtraces (or what ever address-sanatizer produces) it would be good to understand what went wrong. It's ok to have the removal of TALLOC_FREE(state) as immediate fix, but I'd like to follow up with a proper fix.
Created attachment 14174 [details] backtrace from addressanitiser
Created attachment 14192 [details] backported patch for 4.8
Comment on attachment 14192 [details] backported patch for 4.8 I think this is incomplete, I'll upload an additional patch for master...
Created attachment 14195 [details] Additional patch for master
(In reply to Stefan Metzmacher from comment #6) This is an NTLMSSP patch, not a LSA server patch
Created attachment 14196 [details] Additional patch for master Should be the correct patch now, sorry...
Comment on attachment 14196 [details] Additional patch for master Looks good to me, and confirmed with AddressSanitizer. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Please push!
Fixed in master as 9a513304adadd79d1c63d55fcf06b67ed45d43ba for Samba 4.9.
Created attachment 14198 [details] patch for 4.8 cherry-picked from master
(In reply to Andrew Bartlett from comment #11) Pushed to autobuild-v4-8-test.
(In reply to Karolin Seeger from comment #12) Pushed to v4-8-test. Closing out bug report. Thanks!