#2829 collapse_srv_lookups frees fo_server structure that is returned by fail over API

Created 2 years ago by jhrozek
Modified 8 months ago

The fail-over API returns fo_server structure:

int fo_resolve_service_recv(struct tevent_req *req,
                            struct fo_server **server);

But the fo_server only points to a structure inside failover. At the same time, the collapse_srv_lookup frees the server if the TTL timeout has been reached. If another request still points to the previous fo_server, this would lead to use-after-free situations.

We should consider using something like reference counting.

Fields changed

description: The fail-over API returns fo_server structure:
{{{
int fo_resolve_service_recv(struct tevent_req req,
struct fo_server
*server);
}}}

But the fo_server only points to a structure inside failover. At the same time, the collapse_srv_lookup frees the server if the TTL timeout has been reached. If another request still owns the previous fo_server, this would lead to use-after-free situations.

We should consider using something like reference counting. => The fail-over API returns fo_server structure:
{{{
int fo_resolve_service_recv(struct tevent_req req,
struct fo_server
*server);
}}}

But the fo_server only points to a structure inside failover. At the same time, the collapse_srv_lookup frees the server if the TTL timeout has been reached. If another request still points to the previous fo_server, this would lead to use-after-free situations.

We should consider using something like reference counting.

Fields changed

summary: collapse_srv_lookups frees fo_server structure that is returned y fail over API => collapse_srv_lookups frees fo_server structure that is returned by fail over API

Fields changed

owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned

The patch is available, but since the bug was there since 2010 and the patch is risky, I would prefer to only fix the bug in master.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14 alpha

resolution: => fixed
status: assigned => closed

sssd-1-13:

milestone: SSSD 1.14 alpha => SSSD 1.13.4

8 months ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13.4

Login to comment on this ticket.

defect

SSSD

1.13.1

0

1

https://bugzilla.redhat.com/show_bug.cgi?id=1270558

0

0

0

0

cancel