CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice

Prevent use after free issues if ldb_lock_backend_callback is called
twice, usually due to ldb_module_done being called twice. This can happen if a
module ignores the return value from function a function that calls
ldb_module_done as part of it's error handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c
index 8c86dca45a1e20cf32b83955eac234c3b6d7ba63..0fec89a52a80e995ef48388a7eff31d23eb8bb70 100644 (file)
--- a/lib/ldb/common/ldb.c
+++ b/lib/ldb/common/ldb.c
@@ -1018,6 +1018,13 @@ static int ldb_lock_backend_callback(struct ldb_request *req,
        struct ldb_db_lock_context *lock_context;
        int ret;
 
+       if (req->context == NULL) {
+               /*
+                * The usual way to get here is to ignore the return codes
+                * and continuing processing after an error.
+                */
+               abort();
+       }
        lock_context = talloc_get_type(req->context,
                                       struct ldb_db_lock_context);
 
@@ -1032,7 +1039,7 @@ static int ldb_lock_backend_callback(struct ldb_request *req,
                 * If this is a LDB_REPLY_DONE or an error, unlock the
                 * DB by calling the destructor on this context
                 */
-               talloc_free(lock_context);
+               TALLOC_FREE(req->context);
                return ret;
        }