dsdb: fix bug 15872, use-after-free

We were finding the old element, reallocing, then copying,
which is the wrong order.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15872

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jul 30 02:03:40 UTC 2025 on atb-devel-224

diff --git a/source4/dsdb/kcc/scavenge_dns_records.c b/source4/dsdb/kcc/scavenge_dns_records.c
index f41250cbd1b96ba41e0a173eb7bf2d7cca49cce0..0a5016fa62bca44a5e6414c1c034e4ca3651b73e 100644 (file)
--- a/source4/dsdb/kcc/scavenge_dns_records.c
+++ b/source4/dsdb/kcc/scavenge_dns_records.c
@@ -182,19 +182,23 @@ static NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
                        return NT_STATUS_INTERNAL_ERROR;
                }
 
-               old_el = ldb_msg_find_element(new_msg, "dnsRecord");
-               if (old_el == NULL) {
+               /*
+                * This empty record will become the replacement for old_el.
+                * (we add it first because it reallocs).
+                */
+               ret = ldb_msg_add_empty(
+                   new_msg, "dnsRecord", LDB_FLAG_MOD_ADD, &el);
+               if (ret != LDB_SUCCESS) {
                        TALLOC_FREE(new_msg);
                        return NT_STATUS_INTERNAL_ERROR;
                }
-               old_el->flags = LDB_FLAG_MOD_DELETE;
 
-               ret = ldb_msg_add_empty(
-                   new_msg, "dnsRecord", LDB_FLAG_MOD_ADD, &el);
-               if (ret != LDB_SUCCESS) {
+               old_el = ldb_msg_find_element(new_msg, "dnsRecord");
+               if (old_el == NULL || old_el == el) {
                        TALLOC_FREE(new_msg);
                        return NT_STATUS_INTERNAL_ERROR;
                }
+               old_el->flags = LDB_FLAG_MOD_DELETE;
 
                status = copy_current_records(new_msg, old_el, el, dns_timestamp);