]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
projects / thirdparty / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5337dc5)
CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
authorStefan Metzmacher <metze@samba.org>
Thu, 5 Aug 2021 11:30:41 +0000 (13:30 +0200)
committerJule Anger <janger@samba.org>
Mon, 8 Nov 2021 09:52:13 +0000 (10:52 +0100)
We want to use this also in code without existing
stackframe.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/auth_util.c patch | blob | blame | history

diff --git a/auth/auth_util.c b/auth/auth_util.c
index f3586f1fc1e0515722b0335c0fc97e07cbc93920..fe01babd107909dfe7a30299609b04a922d851ee 100644 (file)
--- a/auth/auth_util.c
+++ b/auth/auth_util.c
@@ -26,26 +26,28 @@
 struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
                                            const struct auth_session_info *src)
 {
+       TALLOC_CTX *frame = talloc_stackframe();
        struct auth_session_info *dst;
        DATA_BLOB blob;
        enum ndr_err_code ndr_err;
 
        ndr_err = ndr_push_struct_blob(
                &blob,
-               talloc_tos(),
+               frame,
                src,
                (ndr_push_flags_fn_t)ndr_push_auth_session_info);
        if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                DBG_ERR("copy_session_info(): ndr_push_auth_session_info "
                        "failed: %s\n",
                        ndr_errstr(ndr_err));
+               TALLOC_FREE(frame);
                return NULL;
        }
 
        dst = talloc(mem_ctx, struct auth_session_info);
        if (dst == NULL) {
                DBG_ERR("talloc failed\n");
-               TALLOC_FREE(blob.data);
+               TALLOC_FREE(frame);
                return NULL;
        }
 
@@ -54,15 +56,16 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
                dst,
                dst,
                (ndr_pull_flags_fn_t)ndr_pull_auth_session_info);
-       TALLOC_FREE(blob.data);
 
        if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                DBG_ERR("copy_session_info(): ndr_pull_auth_session_info "
                        "failed: %s\n",
                        ndr_errstr(ndr_err));
                TALLOC_FREE(dst);
+               TALLOC_FREE(frame);
                return NULL;
        }
 
+       TALLOC_FREE(frame);
        return dst;
 }
Mirror of https://github.com/samba-team/samba.git