From 750f6847f04d5c18ee308ac8bc5bc0828c32deeb Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Sun, 22 Jun 2025 15:05:39 +1200 Subject: [PATCH] dsdb: fix bug 15872, use-after-free We were finding the old element, reallocing, then copying, which is the wrong order. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15872 Signed-off-by: Douglas Bagnall Reviewed-by: Jennifer Sutton Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Wed Jul 30 02:03:40 UTC 2025 on atb-devel-224 --- source4/dsdb/kcc/scavenge_dns_records.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/source4/dsdb/kcc/scavenge_dns_records.c b/source4/dsdb/kcc/scavenge_dns_records.c index f41250cbd1b..0a5016fa62b 100644 --- a/source4/dsdb/kcc/scavenge_dns_records.c +++ b/source4/dsdb/kcc/scavenge_dns_records.c @@ -182,19 +182,23 @@ static NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx, return NT_STATUS_INTERNAL_ERROR; } - old_el = ldb_msg_find_element(new_msg, "dnsRecord"); - if (old_el == NULL) { + /* + * This empty record will become the replacement for old_el. + * (we add it first because it reallocs). + */ + ret = ldb_msg_add_empty( + new_msg, "dnsRecord", LDB_FLAG_MOD_ADD, &el); + if (ret != LDB_SUCCESS) { TALLOC_FREE(new_msg); return NT_STATUS_INTERNAL_ERROR; } - old_el->flags = LDB_FLAG_MOD_DELETE; - ret = ldb_msg_add_empty( - new_msg, "dnsRecord", LDB_FLAG_MOD_ADD, &el); - if (ret != LDB_SUCCESS) { + old_el = ldb_msg_find_element(new_msg, "dnsRecord"); + if (old_el == NULL || old_el == el) { TALLOC_FREE(new_msg); return NT_STATUS_INTERNAL_ERROR; } + old_el->flags = LDB_FLAG_MOD_DELETE; status = copy_current_records(new_msg, old_el, el, dns_timestamp); -- 2.47.2