From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 5 Aug 2021 11:30:41 +0000 (+0200)
Subject: CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
X-Git-Tag: samba-4.13.14~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6925a53a290d6d5fb310820bc62080492521cee4;p=thirdparty%2Fsamba.git

CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()

We want to use this also in code without existing
stackframe.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/auth/auth_util.c b/auth/auth_util.c
index f3586f1fc1e..fe01babd107 100644
--- a/auth/auth_util.c
+++ b/auth/auth_util.c
@@ -26,26 +26,28 @@
 struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
 					    const struct auth_session_info *src)
 {
+	TALLOC_CTX *frame = talloc_stackframe();
 	struct auth_session_info *dst;
 	DATA_BLOB blob;
 	enum ndr_err_code ndr_err;
 
 	ndr_err = ndr_push_struct_blob(
 		&blob,
-		talloc_tos(),
+		frame,
 		src,
 		(ndr_push_flags_fn_t)ndr_push_auth_session_info);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		DBG_ERR("copy_session_info(): ndr_push_auth_session_info "
 			"failed: %s\n",
 			ndr_errstr(ndr_err));
+		TALLOC_FREE(frame);
 		return NULL;
 	}
 
 	dst = talloc(mem_ctx, struct auth_session_info);
 	if (dst == NULL) {
 		DBG_ERR("talloc failed\n");
-		TALLOC_FREE(blob.data);
+		TALLOC_FREE(frame);
 		return NULL;
 	}
 
@@ -54,15 +56,16 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
 		dst,
 		dst,
 		(ndr_pull_flags_fn_t)ndr_pull_auth_session_info);
-	TALLOC_FREE(blob.data);
 
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		DBG_ERR("copy_session_info(): ndr_pull_auth_session_info "
 			"failed: %s\n",
 			ndr_errstr(ndr_err));
 		TALLOC_FREE(dst);
+		TALLOC_FREE(frame);
 		return NULL;
 	}
 
+	TALLOC_FREE(frame);
 	return dst;
 }