|
|
0d097b |
From 26e33b1984cce3549df170f58f8221201ad54cfd Mon Sep 17 00:00:00 2001
|
|
|
0d097b |
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
0d097b |
Date: Tue, 7 Jan 2020 16:29:05 +0100
|
|
|
0d097b |
Subject: [PATCH] util/sss_ptr_hash: fixed double free in
|
|
|
0d097b |
sss_ptr_hash_delete_cb()
|
|
|
0d097b |
MIME-Version: 1.0
|
|
|
0d097b |
Content-Type: text/plain; charset=UTF-8
|
|
|
0d097b |
Content-Transfer-Encoding: 8bit
|
|
|
0d097b |
|
|
|
0d097b |
Calling data->callback(value->ptr) in sss_ptr_hash_delete_cb() could lead
|
|
|
0d097b |
to freeing of value->ptr and thus to destruction of value->spy that is
|
|
|
0d097b |
attached to value->ptr.
|
|
|
0d097b |
In turn sss_ptr_hash_spy_destructor() calls sss_ptr_hash_delete() ->
|
|
|
0d097b |
hash_delete() -> sss_ptr_hash_delete_cb() again and in this recursive
|
|
|
0d097b |
execution hash entry was actually deleted and value was freed.
|
|
|
0d097b |
When stack was unwound back to "first" sss_ptr_hash_delete_cb() it tried
|
|
|
0d097b |
to free value again => double free.
|
|
|
0d097b |
|
|
|
0d097b |
To prevent this bug value and hence spy are now freed before execution of
|
|
|
0d097b |
data->callback(value->ptr).
|
|
|
0d097b |
|
|
|
0d097b |
Resolves: https://pagure.io/SSSD/sssd/issue/4135
|
|
|
0d097b |
|
|
|
0d097b |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
0d097b |
---
|
|
|
0d097b |
src/util/sss_ptr_hash.c | 6 +++---
|
|
|
0d097b |
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
0d097b |
|
|
|
0d097b |
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
|
|
0d097b |
index c7403ffa6..8f9762cb9 100644
|
|
|
0d097b |
--- a/src/util/sss_ptr_hash.c
|
|
|
0d097b |
+++ b/src/util/sss_ptr_hash.c
|
|
|
0d097b |
@@ -154,13 +154,13 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
|
|
|
0d097b |
callback_entry.value.type = HASH_VALUE_PTR;
|
|
|
0d097b |
callback_entry.value.ptr = value->ptr;
|
|
|
0d097b |
|
|
|
0d097b |
+ /* Free value, this also will disable spy */
|
|
|
0d097b |
+ talloc_free(value);
|
|
|
0d097b |
+
|
|
|
0d097b |
/* Switch to the input value and call custom callback. */
|
|
|
0d097b |
if (data->callback != NULL) {
|
|
|
0d097b |
data->callback(&callback_entry, deltype, data->pvt);
|
|
|
0d097b |
}
|
|
|
0d097b |
-
|
|
|
0d097b |
- /* Free value. */
|
|
|
0d097b |
- talloc_free(value);
|
|
|
0d097b |
}
|
|
|
0d097b |
|
|
|
0d097b |
hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
|
|
0d097b |
--
|
|
|
0d097b |
2.20.1
|
|
|
0d097b |
|