sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-21 09:49:28 +03:00
Code Activity

CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()

Browse Source 
We want to use this also in code without existing
stackframe.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher
2021-08-05 13:30:41 +02:00
committed by Joseph Sutton
parent 129b3694a1
commit 462d635966
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
auth/auth_util.c
View File

@ -26,26 +26,28 @@
struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
const struct auth_session_info *src)
{
TALLOC_CTX *frame = talloc_stackframe();
struct auth_session_info *dst;
DATA_BLOB blob;
enum ndr_err_code ndr_err;
ndr_err = ndr_push_struct_blob(
&blob,
talloc_tos(),
frame,
src,
(ndr_push_flags_fn_t)ndr_push_auth_session_info);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("copy_session_info(): ndr_push_auth_session_info "
"failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(frame);
return NULL;
}
dst = talloc(mem_ctx, struct auth_session_info);
if (dst == NULL) {
DBG_ERR("talloc failed\n");
TALLOC_FREE(blob.data);
TALLOC_FREE(frame);
return NULL;
}
@ -54,15 +56,16 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
dst,
dst,
(ndr_pull_flags_fn_t)ndr_pull_auth_session_info);
TALLOC_FREE(blob.data);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("copy_session_info(): ndr_pull_auth_session_info "
"failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
TALLOC_FREE(frame);
return NULL;
}
TALLOC_FREE(frame);
return dst;
}