From: Joseph Sutton Date: Wed, 2 Aug 2023 23:39:12 +0000 (+1200) Subject: s4:dsdb: Fix leaks X-Git-Tag: tevent-0.16.0~1112 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d4db9a2793f4d51b85d266605f97c165f4d883dc;p=thirdparty%2Fsamba.git s4:dsdb: Fix leaks Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 47e831339fa..ff8de2ea2e7 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -3439,6 +3439,7 @@ WERROR dsdb_loadreps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ld ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs, 0); if (ret == LDB_ERR_NO_SUCH_OBJECT) { /* partition hasn't been replicated yet */ + talloc_free(tmp_ctx); return WERR_OK; } if (ret != LDB_SUCCESS) { @@ -4733,6 +4734,7 @@ int dsdb_normalise_dn_and_find_nc_root(struct ldb_context *samdb, ldb_asprintf_errstring(samdb, "Request for NC root for %s failed to return any results.", ldb_dn_get_linearized(dn)); + talloc_free(tmp_ctx); return LDB_ERR_NO_SUCH_OBJECT; } *normalised_dn = context.dn; @@ -4912,6 +4914,7 @@ int dsdb_load_udv_v2(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *m /* we always store as version 2, and * replUpToDateVector is not replicated */ + talloc_free(r); return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; } diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 73b3b63671f..5eb076bf8b0 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -317,11 +317,13 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r ndr_err = ndr_pull_struct_blob_all(&sce->values[0], scb, scb, (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "ndr_pull_struct_blob_all"); } if (scb->sub.num_packages < 2) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "num_packages < 2"); } @@ -331,11 +333,13 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r subblob = strhex_to_data_blob(scb, scb->sub.packages[i].data); if (subblob.data == NULL) { + talloc_free(scb); return ldb_module_oom(module); } if (strcmp(scb->sub.packages[i].name, "Packages") == 0) { if (scpp) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "Packages twice"); @@ -346,6 +350,7 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r } if (strcmp(scb->sub.packages[i].name, "Primary:Kerberos") == 0) { if (scpk) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "Primary:Kerberos twice"); @@ -356,6 +361,7 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r } if (strcmp(scb->sub.packages[i].name, "Primary:Kerberos-Newer-Keys") == 0) { if (scpkn) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "Primary:Kerberos-Newer-Keys twice"); @@ -366,6 +372,7 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r } if (strcmp(scb->sub.packages[i].name, "Primary:CLEARTEXT") == 0) { if (scpct) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "Primary:CLEARTEXT twice"); @@ -379,6 +386,7 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r } if (scpp == NULL) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "Primary:Packages missing"); @@ -389,6 +397,7 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r * If Primary:Kerberos is missing w2k8r2 reboots * when a password is changed. */ + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "Primary:Kerberos missing"); @@ -400,17 +409,20 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r p = talloc_zero(scb, struct package_PackagesBlob); if (p == NULL) { + talloc_free(scb); return ldb_module_oom(module); } ndr_err = ndr_pull_struct_blob(&scpbp, p, p, (ndr_pull_flags_fn_t)ndr_pull_package_PackagesBlob); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "ndr_pull_struct_blob Packages"); } if (p->names == NULL) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "Packages names == NULL"); } @@ -420,6 +432,7 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r } if (scb->sub.num_packages != (n + 1)) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "Packages num_packages != num_names + 1"); } @@ -432,55 +445,66 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r k = talloc_zero(scb, struct package_PrimaryKerberosBlob); if (k == NULL) { + talloc_free(scb); return ldb_module_oom(module); } ndr_err = ndr_pull_struct_blob(&scpbk, k, k, (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "ndr_pull_struct_blob PrimaryKerberos"); } if (k->version != 3) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryKerberos version != 3"); } if (k->ctr.ctr3.salt.string == NULL) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryKerberos salt == NULL"); } if (strlen(k->ctr.ctr3.salt.string) == 0) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryKerberos strlen(salt) == 0"); } if (k->ctr.ctr3.num_keys != 2) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryKerberos num_keys != 2"); } if (k->ctr.ctr3.num_old_keys > k->ctr.ctr3.num_keys) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryKerberos num_old_keys > num_keys"); } if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryKerberos key[0] != DES_CBC_MD5"); } if (k->ctr.ctr3.keys[1].keytype != ENCTYPE_DES_CBC_CRC) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryKerberos key[1] != DES_CBC_CRC"); } if (k->ctr.ctr3.keys[0].value_len != 8) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryKerberos key[0] value_len != 8"); } if (k->ctr.ctr3.keys[1].value_len != 8) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryKerberos key[1] value_len != 8"); } @@ -493,6 +517,7 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r continue; } + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryKerberos old_keys type/value_len doesn't match"); } @@ -505,76 +530,92 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r k = talloc_zero(scb, struct package_PrimaryKerberosBlob); if (k == NULL) { + talloc_free(scb); return ldb_module_oom(module); } ndr_err = ndr_pull_struct_blob(&scpbkn, k, k, (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "ndr_pull_struct_blob PrimaryKerberosNeverKeys"); } if (k->version != 4) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNerverKeys version != 4"); } if (k->ctr.ctr4.salt.string == NULL) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys salt == NULL"); } if (strlen(k->ctr.ctr4.salt.string) == 0) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys strlen(salt) == 0"); } if (k->ctr.ctr4.num_keys != 4) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys num_keys != 2"); } if (k->ctr.ctr4.num_old_keys > k->ctr.ctr4.num_keys) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys num_old_keys > num_keys"); } if (k->ctr.ctr4.num_older_keys > k->ctr.ctr4.num_old_keys) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys num_older_keys > num_old_keys"); } if (k->ctr.ctr4.keys[0].keytype != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys key[0] != AES256"); } if (k->ctr.ctr4.keys[1].keytype != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys key[1] != AES128"); } if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys key[2] != DES_CBC_MD5"); } if (k->ctr.ctr4.keys[3].keytype != ENCTYPE_DES_CBC_CRC) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys key[3] != DES_CBC_CRC"); } if (k->ctr.ctr4.keys[0].value_len != 32) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys key[0] value_len != 32"); } if (k->ctr.ctr4.keys[1].value_len != 16) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys key[1] value_len != 16"); } if (k->ctr.ctr4.keys[2].value_len != 8) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys key[2] value_len != 8"); } if (k->ctr.ctr4.keys[3].value_len != 8) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys key[3] value_len != 8"); } @@ -596,17 +637,20 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r ct = talloc_zero(scb, struct package_PrimaryCLEARTEXTBlob); if (ct == NULL) { + talloc_free(scb); return ldb_module_oom(module); } ndr_err = ndr_pull_struct_blob(&scpbct, ct, ct, (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryCLEARTEXTBlob); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "ndr_pull_struct_blob PrimaryCLEARTEXT"); } if ((ct->cleartext.length % 2) != 0) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryCLEARTEXT length % 2 != 0"); } @@ -617,16 +661,19 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r ndr_err = ndr_push_struct_blob(&blob, scb, scb, (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "ndr_pull_struct_blob_all"); } if (sce->values[0].length != blob.length) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "supplementalCredentialsBlob length differ"); } if (!mem_equal_const_time(sce->values[0].data, blob.data, blob.length)) { + talloc_free(scb); return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "supplementalCredentialsBlob memcmp differ"); } diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 871043ec03a..7ce115f6bcc 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -175,7 +175,10 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, NT_STATUS_HAVE_NO_MEMORY(ptoken); ptoken->sids = talloc_array(ptoken, struct dom_sid, num_sids + 6 /* over-allocate */); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + if (ptoken->sids == NULL) { + talloc_free(ptoken); + return NT_STATUS_NO_MEMORY; + } ptoken->num_sids = 0; @@ -191,7 +194,10 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, if (check_sid_idx == ptoken->num_sids) { ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + if (ptoken->sids == NULL) { + talloc_free(ptoken); + return NT_STATUS_NO_MEMORY; + } ptoken->sids[ptoken->num_sids] = sids[i].sid; ptoken->num_sids++;