From: Andrew Bartlett Date: Thu, 30 Jan 2020 03:41:39 +0000 (+1300) Subject: dsdb: Correctly handle memory in objectclass_attrs X-Git-Tag: samba-4.10.14~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4bc3641a083b2e23d4b291aec033fc5d8f0989ef;p=thirdparty%2Fsamba.git dsdb: Correctly handle memory in objectclass_attrs el->values is caller-provided memory that should be thought of as constant, it should not be assumed to be a talloc context. Otherwise, if the caller gives constant memory or a stack pointer we will get an abort() in talloc when it expects a talloc magic in the memory preceeding the el->values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14258 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 3657bbc21182d764ddfcd603025f24ec240fd263) --- diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index 67c93ca08d8..438d39e2521 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -133,7 +133,16 @@ static int oc_auto_normalise(struct ldb_context *ldb, const struct dsdb_attribut for (i=0; inum_values; i++) { struct ldb_val v; int ret; - ret = attr->ldb_schema_attribute->syntax->canonicalise_fn(ldb, el->values, &el->values[i], &v); + /* + * We use msg->elements (owned by this module due to + * ldb_msg_copy_shallow()) as a memory context and + * then steal from there to the right spot if we don't + * free it. + */ + ret = attr->ldb_schema_attribute->syntax->canonicalise_fn(ldb, + msg->elements, + &el->values[i], + &v); if (ret != LDB_SUCCESS) { return ret; } @@ -156,6 +165,12 @@ static int oc_auto_normalise(struct ldb_context *ldb, const struct dsdb_attribut } el->values[i] = v; + + /* + * By now el->values is a talloc pointer under + * msg->elements and may now be used + */ + talloc_steal(el->values, v.data); } return LDB_SUCCESS; }