Bug 1439 - Uninitialized free()s in init_sam_from_buffer_*
Summary: Uninitialized free()s in init_sam_from_buffer_*
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.4
Hardware: All All
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-07 15:24 UTC by Jed Davis
Modified: 2005-08-24 10:24 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jed Davis 2004-06-07 15:24:54 UTC 
In init_sam_from_buffer_v0 and init_sam_from_buffer_v1 (or just
init_sam_from_buffer in older versions), if the call to tdb_unpack() fails for
some reason, control passes to the label "done"; the code then frees a number of
pointers which may never have been initialized.  This can cause the process in
question to crash; it certainly has on Linux (glibc's malloc/free doesn't do
much in the way of sanity checks, I believe).  The fix is simple: initialize the
various pointers to NULL, so that in case of unpack failure the free is a no-op,
as was apparently intended.

One thing that can trigger this bug is trying to downgrade a system from 3.0.4
to 3.0.2a; any records that have been written in the _v1 format will have a time
value (when the password must change) where the old unpacker expects to find the
length of the username.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2005-02-11 07:57:21 UTC 
fixed.   Just to note though that downgrading is not supported for tdb's.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:24:12 UTC 
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.