From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 29 Jun 2016 23:44:50 +0000 (-0700)
Subject: lib: talloc: As _tc_free_internal() takes a struct talloc_chunk *, add an extra paran... 
X-Git-Tag: tdb-1.3.10~567
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fde0d0de71d4b670189555745b8155613aace599;p=thirdparty%2Fsamba.git

lib: talloc: As _tc_free_internal() takes a struct talloc_chunk *, add an extra paranoia check against destructor overwrite.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 428fb8aa7ad..cd0ec3d09e9 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -1034,6 +1034,20 @@ static inline int _tc_free_internal(struct talloc_chunk *tc,
 
 	if (unlikely(tc->destructor)) {
 		talloc_destructor_t d = tc->destructor;
+
+		/*
+		 * Protect the destructor against some overwrite
+		 * attacks, by explicitly checking it has the right
+		 * magic here.
+		 */
+		if (talloc_chunk_from_ptr(ptr) != tc) {
+			/*
+			 * This can't actually happen, the
+			 * call itself will panic.
+			 */
+			TALLOC_ABORT("talloc_chunk_from_ptr failed!");
+		}
+
 		if (d == (talloc_destructor_t)-1) {
 			return -1;
 		}