From 13421cbe0af4343f9d110600755ffa756690b282 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 23 Feb 2009 15:43:31 -0500
Subject: Fixing serious memory allocation bug in sbus_message_handler.
 dbus_message_append_args() adds a reference to memory that is not copied to
 the outgoing message until dbus_connection_send() is called. Since we compile
 our reply messages in functions and then return the reply, we need a
 mechanism for deleting allocated memory after invoking dbus_connection_send.
 I have changed the arguments to sbus_msg_handler_fn so that it takes a talloc
 ctx containing the sbus_message_handler_ctx and a pointer to a reply object.
 We can now allocate memory as a child of the reply context and free it after
 calling dbus_connection_send.

---
 server/nss/nsssrv.c    | 28 ++++++++++++----------------
 server/nss/nsssrv_dp.c |  8 +++-----
 2 files changed, 15 insertions(+), 21 deletions(-)

(limited to 'server/nss')

diff --git a/server/nss/nsssrv.c b/server/nss/nsssrv.c
index b6191cce..0909f629 100644
--- a/server/nss/nsssrv.c
+++ b/server/nss/nsssrv.c
@@ -44,9 +44,9 @@
 
 #define SSS_NSS_PIPE_NAME "nss"
 
-static int service_identity(DBusMessage *message, void *data, DBusMessage **r);
-static int service_pong(DBusMessage *message, void *data, DBusMessage **r);
-static int service_reload(DBusMessage *message, void *data, DBusMessage **r);
+static int service_identity(DBusMessage *message, struct sbus_message_ctx *reply);
+static int service_pong(DBusMessage *message, struct sbus_message_ctx *reply);
+static int service_reload(DBusMessage *message, struct sbus_message_ctx *reply);
 static int nss_init_domains(struct nss_ctx *nctx);
 static int _domain_comparator(const void *key1, const void *key2);
 
@@ -227,18 +227,17 @@ static void accept_fd_handler(struct event_context *ev,
     return;
 }
 
-static int service_identity(DBusMessage *message, void *data, DBusMessage **r)
+static int service_identity(DBusMessage *message, struct sbus_message_ctx *reply)
 {
     dbus_uint16_t version = NSS_SBUS_SERVICE_VERSION;
-    const char *name = NSS_SBUS_SERVICE_NAME;
-    DBusMessage *reply;
+    const char *name = NSS_SBUS_SERVICE_NAME;\
     dbus_bool_t ret;
 
     DEBUG(4,("Sending ID reply: (%s,%d)\n",
              name, version));
 
-    reply = dbus_message_new_method_return(message);
-    ret = dbus_message_append_args(reply,
+    reply->reply_message = dbus_message_new_method_return(message);
+    ret = dbus_message_append_args(reply->reply_message,
                                    DBUS_TYPE_STRING, &name,
                                    DBUS_TYPE_UINT16, &version,
                                    DBUS_TYPE_INVALID);
@@ -246,33 +245,30 @@ static int service_identity(DBusMessage *message, void *data, DBusMessage **r)
         return EIO;
     }
 
-    *r = reply;
     return EOK;
 }
 
-static int service_pong(DBusMessage *message, void *data, DBusMessage **r)
+static int service_pong(DBusMessage *message, struct sbus_message_ctx *reply)
 {
-    DBusMessage *reply;
     dbus_bool_t ret;
 
-    reply = dbus_message_new_method_return(message);
-    ret = dbus_message_append_args(reply, DBUS_TYPE_INVALID);
+    reply->reply_message = dbus_message_new_method_return(message);
+    ret = dbus_message_append_args(reply->reply_message, DBUS_TYPE_INVALID);
     if (!ret) {
         return EIO;
     }
 
-    *r = reply;
     return EOK;
 }
 
-static int service_reload(DBusMessage *message, void *data, DBusMessage **r) {
+static int service_reload(DBusMessage *message, struct sbus_message_ctx *reply) {
     /* Monitor calls this function when we need to reload
      * our configuration information. Perform whatever steps
      * are needed to update the configuration objects.
      */
 
     /* Send an empty reply to acknowledge receipt */
-    return service_pong(message, data, r);
+    return service_pong(message, reply);
 }
 
 static int nss_sbus_init(struct nss_ctx *nctx)
diff --git a/server/nss/nsssrv_dp.c b/server/nss/nsssrv_dp.c
index 487ac285..b5746e86 100644
--- a/server/nss/nsssrv_dp.c
+++ b/server/nss/nsssrv_dp.c
@@ -281,20 +281,19 @@ done:
     return err;
 }
 
-static int nss_dp_identity(DBusMessage *message, void *data, DBusMessage **r)
+static int nss_dp_identity(DBusMessage *message, struct sbus_message_ctx *reply)
 {
     dbus_uint16_t version = DATA_PROVIDER_VERSION;
     dbus_uint16_t clitype = DP_CLI_FRONTEND;
     const char *cliname = "NSS";
     const char *nullname = "";
-    DBusMessage *reply;
     dbus_bool_t ret;
 
     DEBUG(4,("Sending ID reply: (%d,%d,%s)\n",
              clitype, version, cliname));
 
-    reply = dbus_message_new_method_return(message);
-    ret = dbus_message_append_args(reply,
+    reply->reply_message = dbus_message_new_method_return(message);
+    ret = dbus_message_append_args(reply->reply_message,
                                    DBUS_TYPE_UINT16, &clitype,
                                    DBUS_TYPE_UINT16, &version,
                                    DBUS_TYPE_STRING, &cliname,
@@ -304,7 +303,6 @@ static int nss_dp_identity(DBusMessage *message, void *data, DBusMessage **r)
         return EIO;
     }
 
-    *r = reply;
     return EOK;
 }
 
-- 
cgit