From 02bb99efeffaf8fd1d5dab61431e131d85d044be Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 13 Sep 2021 11:34:56 +1200
Subject: [PATCH 1/3] pytest:segfault: Add test for ldb.msg_diff()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

[abartlet@samba.org backported form from commit
a99a76722d6046a5d63032e3d2bb3f791da948a6 due to conflicts
with other new segfault tests]
---
 python/samba/tests/segfault.py        | 11 +++++++++++
 selftest/knownfail.d/python-segfaults |  1 +
 2 files changed, 12 insertions(+)

diff --git a/python/samba/tests/segfault.py b/python/samba/tests/segfault.py
index 07e2d46d56a..eac314982a8 100644
--- a/python/samba/tests/segfault.py
+++ b/python/samba/tests/segfault.py
@@ -174,3 +174,14 @@ class SegfaultTests(samba.tests.TestCase):
     def test_dcerpc_idl_inline_arrays(self):
         """Inline arrays were incorrectly handled."""
         dnsserver.DNS_RPC_SERVER_INFO_DOTNET().pExtensions
+
+    @segfault_detector
+    def test_ldb_msg_diff(self):
+        samdb = self.get_samdb()
+
+        msg = ldb.Message()
+        msg.dn = ldb.Dn(samdb, '')
+        diff = samdb.msg_diff(msg, msg)
+
+        del msg
+        diff.dn
diff --git a/selftest/knownfail.d/python-segfaults b/selftest/knownfail.d/python-segfaults
index 1be0566dcb1..b7229fc7229 100644
--- a/selftest/knownfail.d/python-segfaults
+++ b/selftest/knownfail.d/python-segfaults
@@ -1 +1,2 @@
 samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__3
+samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_ldb_msg_diff
-- 
2.25.1


From 2301041faa52ee8180f9f3396007c402c35c10c7 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 14 Sep 2021 11:08:41 +1200
Subject: [PATCH 2/3] ldb_msg: Don't fail in ldb_msg_copy() if source DN is
 NULL

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c2bbe774ce03661666a1f48922a9ab681ef4f64b)
---
 lib/ldb/common/ldb_msg.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index 2346e66ec39..7131f013f71 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -876,8 +876,10 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
 	msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
 	if (msg2 == NULL) return NULL;
 
-	msg2->dn = ldb_dn_copy(msg2, msg2->dn);
-	if (msg2->dn == NULL) goto failed;
+	if (msg2->dn != NULL) {
+		msg2->dn = ldb_dn_copy(msg2, msg2->dn);
+		if (msg2->dn == NULL) goto failed;
+	}
 
 	for (i=0;i<msg2->num_elements;i++) {
 		struct ldb_message_element *el = &msg2->elements[i];
-- 
2.25.1


From 7fc1df0acf47460d85dc21506c3bd797d344ad99 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 13 Sep 2021 11:15:17 +1200
Subject: [PATCH 3/3] pyldb: Avoid use-after-free in msg_diff()

Make a deep copy of the message elements in msg_diff() so that if either
of the input messages are deallocated early, the result does not refer
to non-existing elements.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

[abartlet@samba.org backported from commit
 19a2af02f57d99db8ed3c6b028c3abdf4b553700 due to conflicts in
 the knownfail.d/python-segfaults file]
---
 lib/ldb/pyldb.c                       | 18 ++++++++++++++++--
 selftest/knownfail.d/python-segfaults |  1 -
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 813cdb0870e..443b677c2c4 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -1804,6 +1804,7 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args)
 	struct ldb_message *diff;
 	struct ldb_context *ldb;
 	PyObject *py_ret;
+	TALLOC_CTX *mem_ctx = NULL;
 
 	if (!PyArg_ParseTuple(args, "OO", &py_msg_old, &py_msg_new))
 		return NULL;
@@ -1818,19 +1819,32 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args)
 		return NULL;
 	}
 
+	mem_ctx = talloc_new(NULL);
+	if (mem_ctx == NULL) {
+		PyErr_NoMemory();
+		return NULL;
+	}
+
 	ldb = pyldb_Ldb_AS_LDBCONTEXT(self);
-	ldb_ret = ldb_msg_difference(ldb, ldb,
+	ldb_ret = ldb_msg_difference(ldb, mem_ctx,
 	                             pyldb_Message_AsMessage(py_msg_old),
 	                             pyldb_Message_AsMessage(py_msg_new),
 	                             &diff);
 	if (ldb_ret != LDB_SUCCESS) {
+		talloc_free(mem_ctx);
 		PyErr_SetString(PyExc_RuntimeError, "Failed to generate the Ldb Message diff");
 		return NULL;
 	}
 
+	diff = ldb_msg_copy(mem_ctx, diff);
+	if (diff == NULL) {
+		PyErr_NoMemory();
+		return NULL;
+	}
+
 	py_ret = PyLdbMessage_FromMessage(diff);
 
-	talloc_unlink(ldb, diff);
+	talloc_free(mem_ctx);
 
 	return py_ret;
 }
diff --git a/selftest/knownfail.d/python-segfaults b/selftest/knownfail.d/python-segfaults
index b7229fc7229..1be0566dcb1 100644
--- a/selftest/knownfail.d/python-segfaults
+++ b/selftest/knownfail.d/python-segfaults
@@ -1,2 +1 @@
 samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__3
-samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_ldb_msg_diff
-- 
2.25.1