Skip to content

New lightweight sysdb_entry_in_cache() helper#8482

Closed
alexey-tikhonov wants to merge 2 commits intoSSSD:masterfrom
alexey-tikhonov:incomplete-groups-again
Closed

New lightweight sysdb_entry_in_cache() helper#8482
alexey-tikhonov wants to merge 2 commits intoSSSD:masterfrom
alexey-tikhonov:incomplete-groups-again

Conversation

@alexey-tikhonov
Copy link
Member

and its usage.

@alexey-tikhonov alexey-tikhonov added backport-to-sssd-2-9 Performance Performance related patches labels Feb 25, 2026
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new lightweight helper function sysdb_entry_in_cache() to check if a user or group entry exists in the cache, and updates sdap_add_incomplete_groups() to use it. This simplifies the code by replacing a more complex sysdb_search_group_by_name() call.

My review found a critical use-after-free vulnerability in the implementation of sysdb_entry_in_cache(). The function attempts to access memory after it has been freed, which could lead to application instability. I've provided a suggestion to fix this issue.

Unlike `sysdb_search_*_by_name()`, which does filter sanitization,
subtree search with filter evaluation, and timestamp attribute merge,
this helper constructs the DN directly and performs a base-scoped
ldb_search with no attributes. This makes it suitable for callers
that only need to check entry existence in the cache.

Assisted-by: Claude Code (Opus 4.6)
in `sdap_add_incomplete_groups()`

This also avoids memory pressure from 'msg' piling on 'tmp_ctx'.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport-to-sssd-2-9 Performance Performance related patches

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant