From 39b9e399cae2d6a51e8793fbf7b74e56271d9fcf Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 4 Nov 2021 16:26:09 +1300 Subject: [PATCH] CVE-2020-25722 s4/dsdb/samldb: Fix use-after-free in check_spn_write_rights() Ensure that we don't use del_el after it has been invalidated by the second call to ldb_msg_add_empty(), which performs a talloc_realloc(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 Signed-off-by: Joseph Sutton --- source4/dsdb/samdb/ldb_modules/samldb.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 022dbc0c3cc..db3883eb527 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -3688,6 +3688,16 @@ static int check_spn_write_rights(struct ldb_context *ldb, talloc_free(msg); return ret; } + + del_el->values = talloc_array(msg->elements, struct ldb_val, 1); + if (del_el->values == NULL) { + talloc_free(msg); + return ret; + } + + del_el->values[0] = val; + del_el->num_values = 1; + ret = ldb_msg_add_empty(msg, "servicePrincipalName", LDB_FLAG_MOD_ADD, @@ -3697,22 +3707,15 @@ static int check_spn_write_rights(struct ldb_context *ldb, return ret; } - del_el->values = talloc_array(msg->elements, struct ldb_val, 1); - if (del_el->values == NULL) { - talloc_free(msg); - return ret; - } - add_el->values = talloc_array(msg->elements, struct ldb_val, 1); if (add_el->values == NULL) { talloc_free(msg); return ret; } - del_el->values[0] = val; - del_el->num_values = 1; add_el->values[0] = val; add_el->num_values = 1; + ret = ldb_modify(ldb, msg); if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) { DBG_ERR("hmm I think we're OK, but not sure\n"); -- 2.31.1.362.g311531c9de