mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
lib: talloc: As _tc_free_internal() takes a struct talloc_chunk *, add an extra paranoia check against destructor overwrite.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
parent
d2a5927bd7
commit
fde0d0de71
@ -1034,6 +1034,20 @@ static inline int _tc_free_internal(struct talloc_chunk *tc,
|
||||
|
||||
if (unlikely(tc->destructor)) {
|
||||
talloc_destructor_t d = tc->destructor;
|
||||
|
||||
/*
|
||||
* Protect the destructor against some overwrite
|
||||
* attacks, by explicitly checking it has the right
|
||||
* magic here.
|
||||
*/
|
||||
if (talloc_chunk_from_ptr(ptr) != tc) {
|
||||
/*
|
||||
* This can't actually happen, the
|
||||
* call itself will panic.
|
||||
*/
|
||||
TALLOC_ABORT("talloc_chunk_from_ptr failed!");
|
||||
}
|
||||
|
||||
if (d == (talloc_destructor_t)-1) {
|
||||
return -1;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user