1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

librpc: Fix talloc hierarchy for ndr_compression_state

The complexity of generic_mszip_free() is not needed, nor is a talloc
destructor required if the memory is correctly created in a tree.

Credit to OSS-Fuzz for showing the use-after-free

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57608

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15349

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2023-05-01 14:13:15 +12:00
parent 7dab9edca8
commit ff2de50aa4
2 changed files with 7 additions and 59 deletions

View File

@ -369,8 +369,7 @@ static enum ndr_err_code ndr_pull_folder_cfdata(struct ndr_pull *ndr,
}
}
ndr_pull_compression_state_free(ndr->cstate);
ndr->cstate = NULL;
TALLOC_FREE(ndr->cstate);
return NDR_ERR_SUCCESS;
}

View File

@ -977,36 +977,24 @@ enum ndr_err_code ndr_push_compression_end(struct ndr_push *subndr,
return NDR_ERR_SUCCESS;
}
static enum ndr_err_code generic_mszip_init(TALLOC_CTX *mem_ctx,
struct ndr_compression_state *state)
static enum ndr_err_code generic_mszip_init(struct ndr_compression_state *state)
{
z_stream *z = talloc_zero(mem_ctx, z_stream);
z_stream *z = talloc_zero(state, z_stream);
NDR_ERR_HAVE_NO_MEMORY(z);
z->zalloc = ndr_zlib_alloc;
z->zfree = ndr_zlib_free;
z->opaque = mem_ctx;
z->opaque = state;
state->alg.mszip.z = z;
state->alg.mszip.dict_size = 0;
/* pre-alloc dictionary */
state->alg.mszip.dict = talloc_array(mem_ctx, uint8_t, 0x8000);
state->alg.mszip.dict = talloc_array(state, uint8_t, 0x8000);
NDR_ERR_HAVE_NO_MEMORY(state->alg.mszip.dict);
return NDR_ERR_SUCCESS;
}
static void generic_mszip_free(struct ndr_compression_state *state)
{
if (state == NULL) {
return;
}
TALLOC_FREE(state->alg.mszip.z);
TALLOC_FREE(state->alg.mszip.dict);
}
enum ndr_err_code ndr_pull_compression_state_init(struct ndr_pull *ndr,
enum ndr_compression_alg compression_alg,
struct ndr_compression_state **state)
@ -1025,7 +1013,7 @@ enum ndr_err_code ndr_pull_compression_state_init(struct ndr_pull *ndr,
case NDR_COMPRESSION_XPRESS_HUFF_RAW:
break;
case NDR_COMPRESSION_MSZIP_CAB:
NDR_CHECK(generic_mszip_init(ndr, s));
NDR_CHECK(generic_mszip_init(s));
z_ret = inflateInit2(s->alg.mszip.z, -MAX_WBITS);
if (z_ret != Z_OK) {
return ndr_pull_error(ndr, NDR_ERR_COMPRESSION,
@ -1045,44 +1033,6 @@ enum ndr_err_code ndr_pull_compression_state_init(struct ndr_pull *ndr,
return NDR_ERR_SUCCESS;
}
void ndr_pull_compression_state_free(struct ndr_compression_state *state)
{
if (state == NULL) {
return;
}
switch (state->type) {
case NDR_COMPRESSION_NONE:
case NDR_COMPRESSION_MSZIP:
case NDR_COMPRESSION_XPRESS:
case NDR_COMPRESSION_XPRESS_HUFF_RAW:
break;
case NDR_COMPRESSION_MSZIP_CAB:
generic_mszip_free(state);
break;
default:
break;
}
TALLOC_FREE(state);
}
static int ndr_push_compression_state_free(struct ndr_compression_state *state)
{
switch (state->type) {
case NDR_COMPRESSION_NONE:
case NDR_COMPRESSION_MSZIP:
case NDR_COMPRESSION_XPRESS:
case NDR_COMPRESSION_XPRESS_HUFF_RAW:
break;
case NDR_COMPRESSION_MSZIP_CAB:
generic_mszip_free(state);
break;
default:
break;
}
return 0;
}
enum ndr_err_code ndr_push_compression_state_init(struct ndr_push *ndr,
enum ndr_compression_alg compression_alg,
struct ndr_compression_state **state)
@ -1109,7 +1059,7 @@ enum ndr_err_code ndr_push_compression_state_init(struct ndr_push *ndr,
case NDR_COMPRESSION_MSZIP:
break;
case NDR_COMPRESSION_MSZIP_CAB:
NDR_CHECK(generic_mszip_init(ndr, s));
NDR_CHECK(generic_mszip_init(s));
z_ret = deflateInit2(s->alg.mszip.z,
Z_DEFAULT_COMPRESSION,
Z_DEFLATED,
@ -1129,7 +1079,6 @@ enum ndr_err_code ndr_push_compression_state_init(struct ndr_push *ndr,
break;
}
talloc_set_destructor(s, ndr_push_compression_state_free);
*state = s;