From acae1428d8fc839e7c7f66d1b02dd17e6e5a9a67 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 22 May 2019 10:33:15 +1200
Subject: [PATCH 1/4] tests/vlv: remove redundant assignments

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 source4/dsdb/tests/python/vlv.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/source4/dsdb/tests/python/vlv.py b/source4/dsdb/tests/python/vlv.py
index 90a29ab6ec2..b068f8edae3 100644
--- a/source4/dsdb/tests/python/vlv.py
+++ b/source4/dsdb/tests/python/vlv.py
@@ -510,10 +510,8 @@ class VLVTests(VLVTestsBase):
                 random.shuffle(gte_tests)
                 res = None
                 sort_control = "server_sort:1:0:%s" % attr
-
                 expected_order = self.get_expected_order(attr, expression)
-                sort_control = "server_sort:1:0:%s" % attr
-                res = None
+
                 for before in range(0, 11):
                     after = before
                     for gte in gte_tests:
-- 
2.20.1


From 2e899fbc1d13f5a380b9c22e0bd7f85e86ce24e9 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 22 May 2019 10:32:29 +1200
Subject: [PATCH 2/4] tests/vlv: attempt to cause trouble by changing sort
 attribute

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 source4/dsdb/tests/python/vlv.py | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/source4/dsdb/tests/python/vlv.py b/source4/dsdb/tests/python/vlv.py
index b068f8edae3..86ac2b72240 100644
--- a/source4/dsdb/tests/python/vlv.py
+++ b/source4/dsdb/tests/python/vlv.py
@@ -1216,6 +1216,29 @@ class VLVTests(VLVTestsBase):
         expected_results = [r for r in full_results if r != del_user[attr]]
         self.assertEqual(results, expected_results)
 
+    def test_vlv_change_during_search(self):
+        attr = 'facsimileTelephoneNumber'
+        prefix = "change_during_search_"
+        expr = "(&(objectClass=user)(cn=%s*))" % (prefix)
+        num_users = 3
+        users = [self.create_user(i, num_users, prefix=prefix)
+                 for i in range(num_users)]
+        expr = "(&(objectClass=user)(facsimileTelephoneNumber=%s*))" % (prefix)
+
+        # Start the VLV, change the searched attribute and try the
+        # cookie.
+        results, cookie = self.vlv_search(attr, expr)
+
+        for u in users:
+            self.ldb.modify_ldif("dn: %s\n"
+                                 "changetype: modify\n"
+                                 "replace: facsimileTelephoneNumber\n"
+                                 "facsimileTelephoneNumber: 123" % u['dn'])
+
+        for i in range(2):
+            results, cookie = self.vlv_search(attr, expr, cookie=cookie,
+                                              offset=i+1)
+
 
 
 class PagedResultsTests(TestsWithUserOU):
-- 
2.20.1


From c0aa1af3c3dcc68e8b0ea2bf2c0b75795064db05 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 21 Aug 2020 17:10:22 +1200
Subject: [PATCH 3/4] s4: dns: Ensure variable initialization with NULL.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ensure no use after free.

Based on patches from Francis Brosnan Blázquez <francis@aspl.es>
and Jeremy Allison <jra@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 .../rpc_server/dnsserver/dcerpc_dnsserver.c   | 24 ++++++++++---------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
index b6389f2328a..ec610168266 100644
--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
@@ -1759,15 +1759,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
 	TALLOC_CTX *tmp_ctx;
 	char *name;
 	const char * const attrs[] = { "name", "dnsRecord", NULL };
-	struct ldb_result *res;
-	struct DNS_RPC_RECORDS_ARRAY *recs;
+	struct ldb_result *res = NULL;
+	struct DNS_RPC_RECORDS_ARRAY *recs = NULL;
 	char **add_names = NULL;
-	char *rname;
+	char *rname = NULL;
 	const char *preference_name = NULL;
 	int add_count = 0;
 	int i, ret, len;
 	WERROR status;
-	struct dns_tree *tree, *base, *node;
+	struct dns_tree *tree = NULL;
+	struct dns_tree *base = NULL;
+	struct dns_tree *node = NULL;
 
 	tmp_ctx = talloc_new(mem_ctx);
 	W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
@@ -1850,9 +1852,9 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
 		}
 	}
 
-	talloc_free(res);
-	talloc_free(tree);
-	talloc_free(name);
+	TALLOC_FREE(res);
+	TALLOC_FREE(tree);
+	TALLOC_FREE(name);
 
 	/* Add any additional records */
 	if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {
@@ -1870,14 +1872,14 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
 						LDB_SCOPE_ONELEVEL, attrs,
 						"(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))",
 						encoded_name);
-				talloc_free(name);
+				TALLOC_FREE(name);
 				if (ret != LDB_SUCCESS) {
 					continue;
 				}
 				if (res->count == 1) {
 					break;
 				} else {
-					talloc_free(res);
+					TALLOC_FREE(res);
 					continue;
 				}
 			}
@@ -1892,8 +1894,8 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
 							select_flag, rname,
 							res->msgs[0], 0, recs,
 							NULL, NULL);
-			talloc_free(rname);
-			talloc_free(res);
+			TALLOC_FREE(rname);
+			TALLOC_FREE(res);
 			if (!W_ERROR_IS_OK(status)) {
 				talloc_free(tmp_ctx);
 				return status;
-- 
2.20.1


From 44f52bf42c224ab42882645e81d40ad1d8b28ce1 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 21 Aug 2020 17:23:17 +1200
Subject: [PATCH 4/4] s4/dns: do not crash when additional data not found
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Found by Francis Brosnan Blázquez <francis@aspl.es>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
index ec610168266..88efc01f154 100644
--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
@@ -1859,8 +1859,8 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
 	/* Add any additional records */
 	if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {
 		for (i=0; i<add_count; i++) {
-			struct dnsserver_zone *z2;
-
+			struct dnsserver_zone *z2 = NULL;
+			struct ldb_message *msg = NULL;
 			/* Search all the available zones for additional name */
 			for (z2 = dsstate->zones; z2; z2 = z2->next) {
 				char *encoded_name;
@@ -1877,6 +1877,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
 					continue;
 				}
 				if (res->count == 1) {
+					msg = res->msgs[0];
 					break;
 				} else {
 					TALLOC_FREE(res);
@@ -1892,7 +1893,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
 			}
 			status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A,
 							select_flag, rname,
-							res->msgs[0], 0, recs,
+							msg, 0, recs,
 							NULL, NULL);
 			TALLOC_FREE(rname);
 			TALLOC_FREE(res);
-- 
2.20.1