#2405 use-after-free in dyndns code
Closed: Fixed None Opened 5 years ago by jhrozek.

We have a use-after-free situation in the dyndns code, found by Chris Hartman and reported on sssd-users:

==13038== 1 errors in context 9 of 14:
==13038== Invalid read of size 1
==13038==    at 0x807C747: resolv_get_string_ptr_address (async_resolv.c:1442)
==13038==    by 0x8069777: be_nsupdate_create_ptr_msg (dp_dyndns.c:366)
==13038==    by 0x54F824E: sdap_dyndns_update_ptr_step (sdap_dyndns.c:402)
==13038==    by 0x54F8663: sdap_dyndns_update_done (sdap_dyndns.c:378)
==13038==    by 0x4051D7A: _tevent_req_notify_callback (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x4051DB9: _tevent_req_done (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x8067CF3: be_nsupdate_done (dp_dyndns.c:1093)
==13038==    by 0x4051D7A: _tevent_req_notify_callback (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x4051DB9: _tevent_req_done (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x8068347: nsupdate_child_handler (dp_dyndns.c:915)
==13038==    by 0x4197163: child_invoke_callback (child_common.c:603)
==13038==    by 0x4051577: tevent_common_loop_immediate (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==  Address 0x6b086af is 55 bytes inside a block of size 176 free'd
==13038==    at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13038==    by 0x40622B2: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.0)
==13038==    by 0x406223E: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.0)
==13038==    by 0x406223E: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.0)
==13038==    by 0x405EA0E: _talloc_free (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.0)
==13038==    by 0x54F7101: sdap_dyndns_dns_addrs_done (sdap_dyndns.c:207)
==13038==    by 0x4051D7A: _tevent_req_notify_callback (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x4051DB9: _tevent_req_done (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x8067483: nsupdate_get_addrs_done (dp_dyndns.c:726)
==13038==    by 0x4051D7A: _tevent_req_notify_callback (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x4051DB9: _tevent_req_done (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x807A079: resolv_gethostbyname_done (async_resolv.c:1367)
==13038== 
==13038==

Fields changed

owner: somebody => pbrezina
status: new => assigned

Fields changed

owner: pbrezina => lslebodn
status: assigned => new

Fields changed

patch: 0 => 1
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.7

Metadata Update from @jhrozek:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.11.7

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3447

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata