From ca859e55d28f421196bc2660cfa84595ec5b57c6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 15 Oct 2021 03:34:11 +0200
Subject: [PATCH] s3:libads: avoid changing ADS->server.workgroup

ads_find_dc() uses c_domain = ads->server.workgroup and
don't expect it to get out of scope deep in resolve_and_ping_dns().

The result are corrupted domain values in the debug output.

Valgrind shows this:

 Invalid read of size 1
    at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688)
    by 0x609ED49: __vasprintf_internal (vasprintf.c:57)
    by 0x5D2EC0F: __dbgtext_va (debug.c:1860)
    by 0x5D2ED3F: dbgtext (debug.c:1881)
    by 0x4BFFB50: ads_find_dc (ldap.c:570)
    by 0x4C001F4: ads_connect (ldap.c:704)
    by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
  Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd
    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0x4BFF0AF: ads_try_connect (ldap.c:299)
    by 0x4BFF40E: cldap_ping_list (ldap.c:367)
    by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468)
    by 0x4BFFA91: ads_find_dc (ldap.c:556)
    by 0x4C001F4: ads_connect (ldap.c:704)
    by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
  Block was alloc'd at
    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0x60B250E: strdup (strdup.c:42)
    by 0x4FF1492: smb_xstrdup (util.c:743)
    by 0x4C10E62: ads_init (ads_struct.c:148)
    by 0x4C1DB68: ads_dc_name (namequery_dc.c:73)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/libads/ldap.c      | 16 ++++++++--------
 source3/librpc/idl/ads.idl |  1 +
 source3/utils/net_ads.c    |  6 ++++++
 3 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index ff67ad28a2a..4d4afb279c8 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -280,12 +280,12 @@ static bool ads_fill_cldap_reply(ADS_STRUCT *ads,
 
 	/* Fill in the ads->config values */
 
+	ADS_TALLOC_CONST_FREE(ads->config.workgroup);
 	ADS_TALLOC_CONST_FREE(ads->config.realm);
 	ADS_TALLOC_CONST_FREE(ads->config.bind_path);
 	ADS_TALLOC_CONST_FREE(ads->config.ldap_server_name);
 	ADS_TALLOC_CONST_FREE(ads->config.server_site_name);
 	ADS_TALLOC_CONST_FREE(ads->config.client_site_name);
-	ADS_TALLOC_CONST_FREE(ads->server.workgroup);
 
 	if (!check_cldap_reply_required_flags(cldap_reply->server_type,
 					      ads->config.flags)) {
@@ -301,6 +301,13 @@ static bool ads_fill_cldap_reply(ADS_STRUCT *ads,
 		goto out;
 	}
 
+	ads->config.workgroup = talloc_strdup(ads, cldap_reply->domain_name);
+	if (ads->config.workgroup == NULL) {
+		DBG_WARNING("Out of memory\n");
+		ret = false;
+		goto out;
+	}
+
 	ads->config.realm = talloc_asprintf_strupper_m(ads,
 						       "%s",
 						       cldap_reply->dns_domain);
@@ -339,13 +346,6 @@ static bool ads_fill_cldap_reply(ADS_STRUCT *ads,
 		}
 	}
 
-	ads->server.workgroup = talloc_strdup(ads, cldap_reply->domain_name);
-	if (ads->server.workgroup == NULL) {
-		DBG_WARNING("Out of memory\n");
-		ret = false;
-		goto out;
-	}
-
 	ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
 	ads->ldap.ss = *ss;
 
diff --git a/source3/librpc/idl/ads.idl b/source3/librpc/idl/ads.idl
index 4f3a387556a..d10e5b4dc77 100644
--- a/source3/librpc/idl/ads.idl
+++ b/source3/librpc/idl/ads.idl
@@ -59,6 +59,7 @@ interface ads
 
 	typedef [nopull,nopush] struct {
 		nbt_server_type flags; /* cldap flags identifying the services. */
+		string workgroup;
 		string realm;
 		string bind_path;
 		string ldap_server_name;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index d95a2097416..43fa0261ad9 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -521,6 +521,11 @@ static int net_ads_info_json(ADS_STRUCT *ads)
 		goto failure;
 	}
 
+	ret = json_add_string (&jsobj, "Workgroup", ads->config.workgroup);
+	if (ret != 0) {
+		goto failure;
+	}
+
 	ret = json_add_string (&jsobj, "Realm", ads->config.realm);
 	if (ret != 0) {
 		goto failure;
@@ -627,6 +632,7 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
 
 	d_printf(_("LDAP server: %s\n"), addr);
 	d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
+	d_printf(_("Workgroup: %s\n"), ads->config.workgroup);
 	d_printf(_("Realm: %s\n"), ads->config.realm);
 	d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
 	d_printf(_("LDAP port: %d\n"), ads->ldap.port);
-- 
2.11.4.GIT