13514 – stale pointer dereference in msg_dgm_ref_recv()/messaging_dgm_fde_active()

Bug 13514 - stale pointer dereference in msg_dgm_ref_recv()/messaging_dgm_fde_active()

Summary: stale pointer dereference in msg_dgm_ref_recv()/messaging_dgm_fde_active()

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.8.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Stefan Metzmacher
QA Contact:	Samba QA Contact

URL:	https://lists.samba.org/archive/samba...
Keywords:

Depends on:
Blocks:

Reported:	2018-07-09 11:03 UTC by Stefan Metzmacher
Modified:	2020-10-20 14:55 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2018-07-09 11:03:44 UTC

The interaction between msg_dgm_ref_recv() and msg_dgm_ref_destructor()
doesn't allow two references from messaging_dgm_ref() to be free'd
during the loop in msg_dgm_ref_recv().

In addition to the global 'refs' list, we also need to
have a global 'next_ref' pointer, which can be cleared in
msg_dgm_ref_destructor().

As AD DC we hit this when using irpc in auth_winbind.

Comment 1 Stefan Metzmacher 2020-10-20 14:55:24 UTC

Fixed by commit 1a9d6ce58939678f88b3081fb91c3309ff3cddb7 in 4.9.0rc1