From: Gary Lockyer <gary@catalyst.net.nz>
Date: Tue, 12 May 2020 22:56:56 +0000 (+1200)
Subject: CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice
X-Git-Tag: ldb-1.5.8~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d6848d2f3f281956d8401f11ed1a6b609f802e21;p=thirdparty%2Fsamba.git

CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice

Prevent use after free issues if ldb_lock_backend_callback is called
twice, usually due to ldb_module_done being called twice. This can happen if a
module ignores the return value from function a function that calls
ldb_module_done as part of it's error handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c
index 44a487ba987..090d41dde69 100644
--- a/lib/ldb/common/ldb.c
+++ b/lib/ldb/common/ldb.c
@@ -1009,6 +1009,13 @@ static int ldb_lock_backend_callback(struct ldb_request *req,
 	struct ldb_db_lock_context *lock_context;
 	int ret;
 
+	if (req->context == NULL) {
+		/*
+		 * The usual way to get here is to ignore the return codes
+		 * and continuing processing after an error.
+		 */
+		abort();
+	}
 	lock_context = talloc_get_type(req->context,
 				       struct ldb_db_lock_context);
 
@@ -1023,7 +1030,7 @@ static int ldb_lock_backend_callback(struct ldb_request *req,
 		 * If this is a LDB_REPLY_DONE or an error, unlock the
 		 * DB by calling the destructor on this context
 		 */
-		talloc_free(lock_context);
+		TALLOC_FREE(req->context);
 		return ret;
 	}