|
|
b833e0 |
From 81e757b7b1d69893b5725f9c148c55d89c779e7b Mon Sep 17 00:00:00 2001
|
|
|
b833e0 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
b833e0 |
Date: Tue, 3 Nov 2020 10:12:15 +0100
|
|
|
b833e0 |
Subject: [PATCH] ifp: fix use-after-free
|
|
|
b833e0 |
MIME-Version: 1.0
|
|
|
b833e0 |
Content-Type: text/plain; charset=UTF-8
|
|
|
b833e0 |
Content-Transfer-Encoding: 8bit
|
|
|
b833e0 |
|
|
|
b833e0 |
The variable fqdn is pointing to some data from state->res->msgs[0]. But
|
|
|
b833e0 |
before fqdn is used in the next search state->res and the memory
|
|
|
b833e0 |
hierarchy below is freed. As a result the location where fqdn is pointing
|
|
|
b833e0 |
to might hold the expected data or other data and the search will fail
|
|
|
b833e0 |
intermittently.
|
|
|
b833e0 |
|
|
|
b833e0 |
Resolves: https://github.com/SSSD/sssd/issues/5382
|
|
|
b833e0 |
|
|
|
b833e0 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
b833e0 |
---
|
|
|
b833e0 |
src/responder/ifp/ifpsrv_cmd.c | 1 +
|
|
|
b833e0 |
1 file changed, 1 insertion(+)
|
|
|
b833e0 |
|
|
|
b833e0 |
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
|
|
|
b833e0 |
index 9f20bf2db..d95618127 100644
|
|
|
b833e0 |
--- a/src/responder/ifp/ifpsrv_cmd.c
|
|
|
b833e0 |
+++ b/src/responder/ifp/ifpsrv_cmd.c
|
|
|
b833e0 |
@@ -128,6 +128,7 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq)
|
|
|
b833e0 |
tevent_req_error(req, ERR_INTERNAL);
|
|
|
b833e0 |
return;
|
|
|
b833e0 |
}
|
|
|
b833e0 |
+ fqdn = talloc_steal(state, fqdn);
|
|
|
b833e0 |
|
|
|
b833e0 |
if (state->search_type == SSS_DP_USER) {
|
|
|
b833e0 |
/* throw away the result and perform attr search */
|
|
|
b833e0 |
--
|
|
|
b833e0 |
2.21.3
|
|
|
b833e0 |
|