pyldb: Avoid use-after-free in msg_diff()

Make a deep copy of the message elements in msg_diff() so that if either
of the input messages are deallocated early, the result does not refer
to non-existing elements.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14645
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
[abartlet@samba.org backported from commit
 19a2af02f57d99db8ed3c6b028c3abdf4b553700 due to conflicts in
 the knownfail.d/python-segfaults file]

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Sep 29 13:14:22 UTC 2021 on sn-devel-184

diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 813cdb0870eb0f62057e1091c4a33d2e0e1d5016..443b677c2c4650230ccd43c859abca061d333e60 100644 (file)
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -1804,6 +1804,7 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args)
        struct ldb_message *diff;
        struct ldb_context *ldb;
        PyObject *py_ret;
+       TALLOC_CTX *mem_ctx = NULL;
 
        if (!PyArg_ParseTuple(args, "OO", &py_msg_old, &py_msg_new))
                return NULL;
@@ -1818,19 +1819,32 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args)
                return NULL;
        }
 
+       mem_ctx = talloc_new(NULL);
+       if (mem_ctx == NULL) {
+               PyErr_NoMemory();
+               return NULL;
+       }
+
        ldb = pyldb_Ldb_AS_LDBCONTEXT(self);
-       ldb_ret = ldb_msg_difference(ldb, ldb,
+       ldb_ret = ldb_msg_difference(ldb, mem_ctx,
                                     pyldb_Message_AsMessage(py_msg_old),
                                     pyldb_Message_AsMessage(py_msg_new),
                                     &diff);
        if (ldb_ret != LDB_SUCCESS) {
+               talloc_free(mem_ctx);
                PyErr_SetString(PyExc_RuntimeError, "Failed to generate the Ldb Message diff");
                return NULL;
        }
 
+       diff = ldb_msg_copy(mem_ctx, diff);
+       if (diff == NULL) {
+               PyErr_NoMemory();
+               return NULL;
+       }
+
        py_ret = PyLdbMessage_FromMessage(diff);
 
-       talloc_unlink(ldb, diff);
+       talloc_free(mem_ctx);
 
        return py_ret;
 }

diff --git a/selftest/knownfail.d/python-segfaults b/selftest/knownfail.d/python-segfaults
index b7229fc72297f2224dd411cd84c06d40171d8c23..1be0566dcb1eab45e2509718e14dff7419b27e90 100644 (file)
--- a/selftest/knownfail.d/python-segfaults
+++ b/selftest/knownfail.d/python-segfaults
@@ -1,2 +1 @@
 samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__3
-samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_ldb_msg_diff