Bug 14659 - memory leak in dsdb_match_for_dns_to_tombstone_time
Summary: memory leak in dsdb_match_for_dns_to_tombstone_time
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2021-03-10 03:40 UTC by Douglas Bagnall
Modified: 2021-08-14 00:07 UTC (History)
3 users (show)

See Also:

fix (1.17 KB, patch)
2021-03-10 03:40 UTC, Douglas Bagnall
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2021-03-10 03:40:52 UTC
Created attachment 16515 [details]

We have been going:

	tmp_ctx = talloc_new(ldb);

        /* ... */

	for (i = 0; i < el->num_values; i++) {

                /* ... stuff using tmp_ctx ... */

		if (various somethings) {

so if el->num_values > 1, and one of the various somethings is true, we have a use after free.
Comment 1 Douglas Bagnall 2021-03-11 22:53:48 UTC
Actually this is just a leak, since the TALLOC_FREE nulls tmp_ctx, then everything else is allocated on NULL. Once there it is never freed.
Comment 2 Douglas Bagnall 2021-03-11 23:15:04 UTC
A reference point for the scale of the leak:

$ bin/ldbsearch -H st/ad_dc/private/sam.ldb '(&(objectClass=dnsNode)(dnsRecord:'  --leak-report-full
full talloc report on 'null_context' (total   2227 bytes in  47 blocks)
    char                           contains     19 bytes in   1 blocks (ref 0) 0x55ec45c6cf20
    struct dnsp_DnssrvRpcRecord    contains     80 bytes in   1 blocks (ref 0) 0x55ec44be6d90

There are 12 leaked records on the bare testenv, 99 bytes per record.

If scavenging is enabled this will happen daily.

A non-system user (e.g. the ldap server) is forbidden from running this search:

$ bin/ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD '(&(objectClass=dnsNode)(dnsRecord:' 
search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020: Indexed and full searches both failed!
Comment 3 Samba QA Contact 2021-03-30 18:56:03 UTC
This bug was referenced in samba master:

Comment 4 Björn Jacke 2021-08-14 00:07:06 UTC
fixed in 4.15