50 lines
1.6 KiB
Diff
50 lines
1.6 KiB
Diff
From 303947c58abf9311a666fe63ebd4ce26655ff36e Mon Sep 17 00:00:00 2001
|
|
From: Gary Lockyer <gary@catalyst.net.nz>
|
|
Date: Wed, 13 May 2020 10:56:56 +1200
|
|
Subject: [PATCH 10/22] CVE-2020-10730: lib ldb: Check if
|
|
ldb_lock_backend_callback called twice
|
|
|
|
Prevent use after free issues if ldb_lock_backend_callback is called
|
|
twice, usually due to ldb_module_done being called twice. This can happen if a
|
|
module ignores the return value from function a function that calls
|
|
ldb_module_done as part of it's error handling.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
|
|
|
|
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
lib/ldb/common/ldb.c | 9 ++++++++-
|
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c
|
|
index 95e9138a56b..2d0926ffaf9 100644
|
|
--- a/lib/ldb/common/ldb.c
|
|
+++ b/lib/ldb/common/ldb.c
|
|
@@ -1018,6 +1018,13 @@ static int ldb_lock_backend_callback(struct ldb_request *req,
|
|
struct ldb_db_lock_context *lock_context;
|
|
int ret;
|
|
|
|
+ if (req->context == NULL) {
|
|
+ /*
|
|
+ * The usual way to get here is to ignore the return codes
|
|
+ * and continuing processing after an error.
|
|
+ */
|
|
+ abort();
|
|
+ }
|
|
lock_context = talloc_get_type(req->context,
|
|
struct ldb_db_lock_context);
|
|
|
|
@@ -1032,7 +1039,7 @@ static int ldb_lock_backend_callback(struct ldb_request *req,
|
|
* If this is a LDB_REPLY_DONE or an error, unlock the
|
|
* DB by calling the destructor on this context
|
|
*/
|
|
- talloc_free(lock_context);
|
|
+ TALLOC_FREE(req->context);
|
|
return ret;
|
|
}
|
|
|
|
--
|
|
2.17.1
|
|
|