From 13421cbe0af4343f9d110600755ffa756690b282 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 23 Feb 2009 15:43:31 -0500
Subject: Fixing serious memory allocation bug in sbus_message_handler.
 dbus_message_append_args() adds a reference to memory that is not copied to
 the outgoing message until dbus_connection_send() is called. Since we compile
 our reply messages in functions and then return the reply, we need a
 mechanism for deleting allocated memory after invoking dbus_connection_send.
 I have changed the arguments to sbus_msg_handler_fn so that it takes a talloc
 ctx containing the sbus_message_handler_ctx and a pointer to a reply object.
 We can now allocate memory as a child of the reply context and free it after
 calling dbus_connection_send.

---
 server/sbus/sssd_dbus.h            |  8 +++++++-
 server/sbus/sssd_dbus_connection.c | 32 ++++++++++++++++++++++----------
 2 files changed, 29 insertions(+), 11 deletions(-)

(limited to 'server/sbus')

diff --git a/server/sbus/sssd_dbus.h b/server/sbus/sssd_dbus.h
index c75bbc93..bc65e314 100644
--- a/server/sbus/sssd_dbus.h
+++ b/server/sbus/sssd_dbus.h
@@ -27,7 +27,8 @@ struct sbus_srv_ctx;
 
 #include "dbus/dbus.h"
 
-typedef int (*sbus_msg_handler_fn)(DBusMessage *, void *, DBusMessage **);
+struct sbus_message_ctx;
+typedef int (*sbus_msg_handler_fn)(DBusMessage *, struct sbus_message_ctx *);
 
 /*
  * sbus_conn_destructor_fn
@@ -71,6 +72,11 @@ struct sbus_message_handler_ctx {
     struct sbus_method_ctx *method_ctx;
 };
 
+struct sbus_message_ctx {
+    struct sbus_message_handler_ctx *mh_ctx;
+    DBusMessage *reply_message;
+};
+
 /* Server Functions */
 int sbus_new_server(TALLOC_CTX *mem_ctx,
                     struct event_context *ev, struct sbus_method_ctx *ctx,
diff --git a/server/sbus/sssd_dbus_connection.c b/server/sbus/sssd_dbus_connection.c
index d02dc6c8..186df356 100644
--- a/server/sbus/sssd_dbus_connection.c
+++ b/server/sbus/sssd_dbus_connection.c
@@ -483,7 +483,7 @@ DBusHandlerResult sbus_message_handler(DBusConnection *conn,
     const char *method;
     const char *path;
     const char *msg_interface;
-    DBusMessage *reply = NULL;
+    struct sbus_message_ctx *reply = NULL;
     int i, ret;
     int found;
 
@@ -503,14 +503,22 @@ DBusHandlerResult sbus_message_handler(DBusConnection *conn,
     if (strcmp(path, ctx->method_ctx->path) != 0)
         return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
 
+    reply = talloc_zero(ctx, struct sbus_message_ctx);
+    if (!reply) return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+    reply->mh_ctx = ctx;
+    reply->reply_message = NULL;
+
     /* Validate the method interface */
     if (strcmp(msg_interface, ctx->method_ctx->interface) == 0) {
         found = 0;
         for (i = 0; ctx->method_ctx->methods[i].method != NULL; i++) {
             if (strcmp(method, ctx->method_ctx->methods[i].method) == 0) {
                 found = 1;
-                ret = ctx->method_ctx->methods[i].fn(message, ctx, &reply);
-                if (ret != EOK) return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+                ret = ctx->method_ctx->methods[i].fn(message, reply);
+                if (ret != EOK) {
+                    talloc_free(reply);
+                    return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+                }
                 break;
             }
         }
@@ -518,7 +526,7 @@ DBusHandlerResult sbus_message_handler(DBusConnection *conn,
         if (!found) {
             /* Reply DBUS_ERROR_UNKNOWN_METHOD */
             DEBUG(1, ("No matching method found for %s.\n", method));
-            reply = dbus_message_new_error(message, DBUS_ERROR_UNKNOWN_METHOD, NULL);
+            reply->reply_message = dbus_message_new_error(message, DBUS_ERROR_UNKNOWN_METHOD, NULL);
         }
     }
     else {
@@ -532,20 +540,24 @@ DBusHandlerResult sbus_message_handler(DBusConnection *conn,
                 /* If we have been asked for introspection data and we have
                  * an introspection function registered, user that.
                  */
-                ret = ctx->method_ctx->introspect_fn(message, ctx, &reply);
-                if (ret != EOK) return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+                ret = ctx->method_ctx->introspect_fn(message, reply);
+                if (ret != EOK) {
+                    talloc_free(reply);
+                    return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+                }
             }
         }
         else
             return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
     }
 
-    DEBUG(5, ("Method %s complete. Reply was %ssent.\n", method, reply?"":"not "));
+    DEBUG(5, ("Method %s complete. Reply was %ssent.\n", method, reply->reply_message?"":"not "));
 
-    if (reply) {
-        dbus_connection_send(conn, reply, NULL);
-        dbus_message_unref(reply);
+    if (reply->reply_message) {
+        dbus_connection_send(conn, reply->reply_message, NULL);
+        dbus_message_unref(reply->reply_message);
     }
+    talloc_free(reply);
 
     return DBUS_HANDLER_RESULT_HANDLED;
 }
-- 
cgit