1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s3/utils: Fix use after free with popt 1.19

popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==5914== Invalid read of size 1
==5914==    at 0x4FDF740: strlcpy (in /usr/lib64/libbsd.so.0.11.6)
==5914==    by 0x49E09A9: tdbsam_getsampwnam (pdb_tdb.c:583)
==5914==    by 0x49D94E5: pdb_getsampwnam (pdb_interface.c:340)
==5914==    by 0x10DED1: print_user_info (pdbedit.c:372)
==5914==    by 0x111413: main (pdbedit.c:1324)
==5914==  Address 0x73b6750 is 0 bytes inside a block of size 7 free'd
==5914==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5914==    by 0x4C508B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5914==    by 0x4C515D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5914==    by 0x1113E6: main (pdbedit.c:1323)
==5914==  Block was alloc'd at
==5914==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5914==    by 0x4C522EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5914==    by 0x110AE5: main (pdbedit.c:1137)
==5914==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e82699fcca)
This commit is contained in:
Noel Power 2022-10-14 11:35:51 +01:00 committed by Jule Anger
parent 1efcc10c9d
commit 4b35fa3f85

View File

@ -1150,7 +1150,7 @@ int main(int argc, const char **argv)
poptGetArg(pc); /* Drop argv[0], the program name */
if (user_name == NULL)
user_name = poptGetArg(pc);
user_name = talloc_strdup(frame, poptGetArg(pc));
setparms = (backend ? BIT_BACKEND : 0) +
(verbose ? BIT_VERBOSE : 0) +