[SCM] Samba Shared Repository - branch master updated

Tue, 29 Jul 2025 19:04:18 -0700 

The branch, master has been updated
       via  750f6847f04 dsdb: fix bug 15872, use-after-free
      from  f91df3191bc iconv: fixed coverity issue CID1609382

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 750f6847f04d5c18ee308ac8bc5bc0828c32deeb
Author: Douglas Bagnall <[email protected]>
Date:   Sun Jun 22 15:05:39 2025 +1200

    dsdb: fix bug 15872, use-after-free
    
    We were finding the old element, reallocing, then copying,
    which is the wrong order.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15872
    
    Signed-off-by: Douglas Bagnall <[email protected]>
    Reviewed-by: Jennifer Sutton <[email protected]>
    
    Autobuild-User(master): Douglas Bagnall <[email protected]>
    Autobuild-Date(master): Wed Jul 30 02:03:40 UTC 2025 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/kcc/scavenge_dns_records.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/kcc/scavenge_dns_records.c 
b/source4/dsdb/kcc/scavenge_dns_records.c
index f41250cbd1b..0a5016fa62b 100644
--- a/source4/dsdb/kcc/scavenge_dns_records.c
+++ b/source4/dsdb/kcc/scavenge_dns_records.c
@@ -182,19 +182,23 @@ static NTSTATUS dns_tombstone_records_zone(TALLOC_CTX 
*mem_ctx,
                        return NT_STATUS_INTERNAL_ERROR;
                }
 
-               old_el = ldb_msg_find_element(new_msg, "dnsRecord");
-               if (old_el == NULL) {
+               /*
+                * This empty record will become the replacement for old_el.
+                * (we add it first because it reallocs).
+                */
+               ret = ldb_msg_add_empty(
+                   new_msg, "dnsRecord", LDB_FLAG_MOD_ADD, &el);
+               if (ret != LDB_SUCCESS) {
                        TALLOC_FREE(new_msg);
                        return NT_STATUS_INTERNAL_ERROR;
                }
-               old_el->flags = LDB_FLAG_MOD_DELETE;
 
-               ret = ldb_msg_add_empty(
-                   new_msg, "dnsRecord", LDB_FLAG_MOD_ADD, &el);
-               if (ret != LDB_SUCCESS) {
+               old_el = ldb_msg_find_element(new_msg, "dnsRecord");
+               if (old_el == NULL || old_el == el) {
                        TALLOC_FREE(new_msg);
                        return NT_STATUS_INTERNAL_ERROR;
                }
+               old_el->flags = LDB_FLAG_MOD_DELETE;
 
                status = copy_current_records(new_msg, old_el, el, 
dns_timestamp);
 


-- 
Samba Shared Repository

Reply via email to