[SCM] Samba Shared Repository - branch master updated

David Disseldorp ddiss at samba.org
Mon Apr 13 18:59:04 MDT 2015 

The branch, master has been updated
       via  2d4db4a s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid.
      from  2a6e170 witness: add WITNESS_UNSPECIFIED_VERSION to IDL.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2d4db4a65e1e8924470741378fe249f22196eceb
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Mar 31 14:40:23 2015 -0700

    s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid.
    
    Bug #11186: Crash seen in libsmbclient due to free of server structure during SMBC_getxattr() call
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11186
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: David Disseldorp <ddiss at samba.org>
    
    Autobuild-User(master): David Disseldorp <ddiss at samba.org>
    Autobuild-Date(master): Tue Apr 14 02:58:43 CEST 2015 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source3/libsmb/libsmb_xattr.c | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/libsmb_xattr.c b/source3/libsmb/libsmb_xattr.c
index 8493776..9f7bea8 100644
--- a/source3/libsmb/libsmb_xattr.c
+++ b/source3/libsmb/libsmb_xattr.c
@@ -2073,6 +2073,25 @@ SMBC_getxattr_ctx(SMBCCTX *context,
         if (! srv->no_nt_session) {
                 ipc_srv = SMBC_attr_server(frame, context, server, port, share,
                                            &workgroup, &user, &password);
+		/*
+		 * SMBC_attr_server() can cause the original
+		 * server to be removed from the cache.
+		 * If so we must error out here as the srv
+		 * pointer has been freed.
+		 */
+		if (smbc_getFunctionGetCachedServer(context)(context,
+				server,
+				share,
+				workgroup,
+				user) != srv) {
+#if defined(ECONNRESET)
+			errno = ECONNRESET;
+#else
+			errno = ETIMEDOUT;
+#endif
+			TALLOC_FREE(frame);
+			return -1;
+		}
                 if (! ipc_srv) {
                         srv->no_nt_session = True;
                 }
@@ -2208,9 +2227,31 @@ SMBC_removexattr_ctx(SMBCCTX *context,
         }
 
         if (! srv->no_nt_session) {
+		int saved_errno;
                 ipc_srv = SMBC_attr_server(frame, context, server, port, share,
                                            &workgroup, &user, &password);
+		saved_errno = errno;
+		/*
+		 * SMBC_attr_server() can cause the original
+		 * server to be removed from the cache.
+		 * If so we must error out here as the srv
+		 * pointer has been freed.
+		 */
+		if (smbc_getFunctionGetCachedServer(context)(context,
+				server,
+				share,
+				workgroup,
+				user) != srv) {
+#if defined(ECONNRESET)
+			errno = ECONNRESET;
+#else
+			errno = ETIMEDOUT;
+#endif
+			TALLOC_FREE(frame);
+			return -1;
+		}
                 if (! ipc_srv) {
+			errno = saved_errno;
                         srv->no_nt_session = True;
                 }
         } else {


-- 
Samba Shared Repository

More information about the samba-cvs mailing list