summaryrefslogtreecommitdiff
path: root/src/responder/pam
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2012-01-21 12:11:23 -0500
committerStephen Gallagher <sgallagh@redhat.com>2012-01-23 08:19:11 -0500
commit9d1d6019a27a0ed70a665700a9f6acc55f874811 (patch)
treee7b623e4fb4954c4d3a3b6eff8ef1823748b01ab /src/responder/pam
parent0c7aa697991ea9df960fae14fd567ebdda3b4ff4 (diff)
downloadsssd-9d1d6019a27a0ed70a665700a9f6acc55f874811.tar.gz
sssd-9d1d6019a27a0ed70a665700a9f6acc55f874811.tar.bz2
sssd-9d1d6019a27a0ed70a665700a9f6acc55f874811.zip
DP: Fix bugs in sss_dp_get_account_int
The conversion to the tevent_req style introduced numerous bugs related to memory management of the various client requests. In some circumstances, this could cause memory corruption and segmentation faults in the NSS responder. This patch makes the following changes: 1) Rename the internal lookup from subreq to sidereq, to indicate that it is not a sub-request of the current lookup (and therefore is not cancelled if the current request is). 2) Change the handling of the callback loops since they call tevent_req_[done|error], which results in them being freed (and therefore removed from the cb_list. This was the source of the memory corruption that would occasionally result in dereferencing an unreadable request. 3) Remove the unnecessary sss_dp_get_account_int_recv() function and change sss_dp_get_account_done() so that it only frees the sidereq. All of the waiting processes have already been signaled with the final results from sss_dp_get_account_int_done()
Diffstat (limited to 'src/responder/pam')
-rw-r--r--src/responder/pam/pamsrv_cmd.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 8cb64221..0f9fd5ed 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -994,6 +994,7 @@ static void pam_dp_send_acct_req_done(struct tevent_req *req)
ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req,
&err_maj, &err_min,
&err_msg);
+ talloc_zfree(req);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Fatal error, killing connection!\n"));