mirror of
https://github.com/samba-team/samba.git
synced 2025-01-26 10:04:02 +03:00
8abac09763
We often loop over the array of domain children. However, the size of the array is calculated as lp_winbind_max_domain_connections() which can change (it is based on smb.conf). The fix is the talloc_array_length(). Reproducer: winbind max domain connections = 100 smbcontrol all reload-config smbcontrol all debug 10 /var/log/samba/log.winbindd shows many lines with random garbage pid: [2023/08/25 10:03:49.898994, 10, pid=158296, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:885(winbind_msg_relay_fn) winbind_msg_relay_fn: sending message to pid 1037686087. [2023/08/25 10:03:49.899010, 3, pid=158296, effective(0, 0), real(0, 0)] ../../source3/lib/util_procid.c:53(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory In this scenario we dereference only a garbage PID, but if we would dereference some garbage pointer we would segfault. Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>