s4:ldb_map Fix use-after-free of memory in ldb_map

We need to keep the old 'ares' from the remote server around so we can forward
it back to the caller.  We can't send the same controls (from the last search
entry) twice (and it makes no sense anyway).

Andrew Bartlett

diff --git a/source4/lib/ldb/ldb_map/ldb_map_outbound.c b/source4/lib/ldb/ldb_map/ldb_map_outbound.c
index 6a8e796ca4646d0b5d93c340e07df3a16779c46a..45caffeeae028e9b1c55818ec59c4284f063eb8f 100644 (file)
--- a/source4/lib/ldb/ldb_map/ldb_map_outbound.c
+++ b/source4/lib/ldb/ldb_map/ldb_map_outbound.c
@@ -1261,7 +1261,7 @@ static int map_remote_search_callback(struct ldb_request *req,
                        return ret;
                }
 
-               talloc_free(ares);
+               ac->remote_done_ares = talloc_steal(ac, ares);
 
                ret = map_search_local(ac);
                if (ret != LDB_SUCCESS) {
@@ -1333,6 +1333,7 @@ int map_local_merge_callback(struct ldb_request *req, struct ldb_reply *ares)
                break;
 
        case LDB_REPLY_DONE:
+               /* We don't need the local 'ares', but we will use the remote one from below */
                talloc_free(ares);
 
                /* No local record found, map and send remote record */
@@ -1371,9 +1372,9 @@ int map_local_merge_callback(struct ldb_request *req, struct ldb_reply *ares)
                /* ok we are done with all search, finally it is time to
                 * finish operations for this module */
                return ldb_module_done(ac->req,
-                                       ac->r_current->remote->controls,
-                                       ac->r_current->remote->response,
-                                       ac->r_current->remote->error);
+                                       ac->remote_done_ares->controls,
+                                       ac->remote_done_ares->response,
+                                       ac->remote_done_ares->error);
        }
 
        return LDB_SUCCESS;

diff --git a/source4/lib/ldb/ldb_map/ldb_map_private.h b/source4/lib/ldb/ldb_map/ldb_map_private.h
index 612d215ae95b6965a09844b70155f34e8930f25c..1ea9e5871fb479bd18b5ac62837c63d08452908b 100644 (file)
--- a/source4/lib/ldb/ldb_map/ldb_map_private.h
+++ b/source4/lib/ldb/ldb_map/ldb_map_private.h
@@ -37,6 +37,9 @@ struct map_context {
 
        struct map_reply *r_list;
        struct map_reply *r_current;
+
+       /* The response continaing any controls the remote server gave */
+       struct ldb_reply *remote_done_ares;
 };
 
 /* Common operations