From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Sun, 12 May 2024 16:51:30 +0000 (-0600)
Subject: Don't allocate xlat function memory directly in the context we were passed
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f786e2dd991f5ff43d3a185a83bc952118477047;p=thirdparty%2Ffreeradius-server.git

Don't allocate xlat function memory directly in the context we were passed

This memory can be mprotected, and when the xlat functions get balanced in the rbtree we get a SEGV
---

diff --git a/src/lib/unlang/xlat_func.c b/src/lib/unlang/xlat_func.c
index 569fce16227..91a1f4a396b 100644
--- a/src/lib/unlang/xlat_func.c
+++ b/src/lib/unlang/xlat_func.c
@@ -239,13 +239,21 @@ xlat_t *xlat_func_register(TALLOC_CTX *ctx, char const *name, xlat_func_t func,
 	/*
 	 *	Doesn't exist.  Create it.
 	 */
-	MEM(c = talloc(ctx, xlat_t));
+	MEM(c = talloc(NULL, xlat_t));
 	*c = (xlat_t){
 		.name = talloc_typed_strdup(c, name),
 		.func = func,
 		.return_type = return_type,
 		.input_type = XLAT_INPUT_UNPROCESSED	/* set default - will be overridden if args are registered */
 	};
+
+ 	/*
+	 *	Don't allocate directly in the parent ctx, it might be mprotected
+	 *	later, and that'll cause segfaults if any of the xlat_t are still
+	 *	protected when we start shuffling the contents of the rbtree.
+	 */
+	if (ctx) talloc_link_ctx(c, ctx);
+
 	talloc_set_destructor(c, _xlat_func_talloc_free);
 	DEBUG3("%s: %s", __FUNCTION__, c->name);