From: Joseph Sutton Date: Mon, 4 Sep 2023 22:28:02 +0000 (+1200) Subject: s4:kdc: Avoid potential use‐after‐free X-Git-Tag: tevent-0.16.0~599 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19b616d1699c2b98d72522b60af55a4c4e7d4726;p=thirdparty%2Fsamba.git s4:kdc: Avoid potential use‐after‐free We must allocate the domain groups on to the correct memory context, lest they get freed prematurely. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 2482cdce459..dcef5da2f9a 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -1707,8 +1707,7 @@ out: return ret; } -static krb5_error_code samba_kdc_add_domain_group_sid(TALLOC_CTX *mem_ctx, - struct PAC_DEVICE_INFO *info, +static krb5_error_code samba_kdc_add_domain_group_sid(struct PAC_DEVICE_INFO *info, const struct netr_SidAttr *sid) { uint32_t i; @@ -1729,7 +1728,7 @@ static krb5_error_code samba_kdc_add_domain_group_sid(TALLOC_CTX *mem_ctx, if (domain_group == NULL) { info->domain_groups = talloc_realloc( - mem_ctx, + info, info->domain_groups, struct PAC_DOMAIN_GROUP_MEMBERSHIP, info->domain_group_count + 1); @@ -1821,7 +1820,7 @@ static krb5_error_code samba_kdc_make_device_info(TALLOC_CTX *mem_ctx, const struct netr_SidAttr *device_sid = &info3->sids[i]; if (dom_sid_has_account_domain(device_sid->sid)) { - ret = samba_kdc_add_domain_group_sid(mem_ctx, device_info, device_sid); + ret = samba_kdc_add_domain_group_sid(device_info, device_sid); if (ret != 0) { goto out; } @@ -1895,7 +1894,7 @@ static krb5_error_code samba_kdc_update_device_info(TALLOC_CTX *mem_ctx, .attributes = device_sid->attrs, }; - krb5_error_code ret = samba_kdc_add_domain_group_sid(mem_ctx, device_info, &sid); + krb5_error_code ret = samba_kdc_add_domain_group_sid(device_info, &sid); if (ret != 0) { return ret; }