Ticket 49184 - Overflow in memberof
Bug Description:
The function memberof_call_foreach_dn can be used to retrieve ancestors of a
given entry. (ancestors are groups owning directly or indirectly a given entry).
With the use of group cache in memberof, at the entrance of memberof_call_foreach_dn
there is an attempt to get the entry ancestors from the cache.
Before doing so it needs to test if the cache is safe. In fact in case of
circular groups the use of the cache is disabled and lookup in the cache should not
happend.
To know if the cache is safe it needs to access a flag (use_cache) in callback_data.
The callback_data structure is opaque at this level. So accessing it
while its structure is unknown is dangerous.
The bug is that we may read an 'int' at an offset that overflow the actual structure.
This is just a test and should not trigger a crash.
Fix Description:
Add a flag to call memberof_call_foreach_dn so that, that indicates if
it is valid to use the group cache.
https://pagure.io/389-ds-base/issue/49184
Reviewed by: William Brown and Mark Reynolds (thanks to you !!)
Platforms tested: F23
Flag Day: no
Doc impact: no