[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Sun Apr 2 03:19:02 UTC 2017 

The branch, master has been updated
       via  a4599b3 s4: server: Fix crash in NTVFS server caused by ordering of destructor calls.
      from  8b32fc4 winbindd: trigger possible passdb_dsdb initialisation

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a4599b3011647c06be0d5a914bc4f72d490f6bc5
Author: Jeremy Allison <jra at samba.org>
Date:   Sat Apr 1 15:34:48 2017 +0000

    s4: server: Fix crash in NTVFS server caused by ordering of destructor calls.
    
    In the NTVFS server we have the following talloc heirarchy:
    
                                       event_ctx
                                         |
            ---------------------------------------------------- .. other children
            |                       |                      |
         msg_dgm_ref              srv_conn            msg_dgm_ref
            ^                       |
            |                    NTVFS structures
            |                       |
            |                    XXXXXX
            |                       |
            |                       |
            --------------------- pointer to msg_dgm_ref
    
    Some of the structures under NTVFS (marked XXXXX) can have
    pointers to imessaging contexts which internally have pointers
    to msg_dgm_ref structurs allocated off event_ctx.
    
    The original code calls:
    
            model_ops->terminate(event_ctx, srv_conn->lp_ctx, reason);
            talloc_free(srv_conn);
    
    But model_ops->terminate() calls talloc_free(event_ctx) and
    then calls exit(). In this case srv_conn is never explicitly
    freed, but only freed as a talloc child of the event_ctx.
    
    Depending on the ordering of the linked list of talloc children
    under event_ctx(which can be reordered via talloc_free/reinit
    of msg_dgm_ref) a pointer to msg_dgm_ref under srv_conn can
    be left pointing to memory that was already freed. This pointer
    is then used in the destructor for a file object called when
    srv_conn is freed.
    
    Re-ordering this to explicitly call TALLOC_FREE(srv_conn) first
    and then model_ops->terminate() fixes this problem.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Böhme <slow at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Sun Apr  2 05:18:39 CEST 2017 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
 source4/smbd/service_stream.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
index 29e6515..bda28ad 100644
--- a/source4/smbd/service_stream.c
+++ b/source4/smbd/service_stream.c
@@ -54,6 +54,7 @@ void stream_terminate_connection(struct stream_connection *srv_conn, const char
 {
 	struct tevent_context *event_ctx = srv_conn->event.ctx;
 	const struct model_ops *model_ops = srv_conn->model_ops;
+	struct loadparm_context *lp_ctx = srv_conn->lp_ctx;
 
 	if (!reason) reason = "unknown reason";
 
@@ -79,8 +80,8 @@ void stream_terminate_connection(struct stream_connection *srv_conn, const char
 	talloc_free(srv_conn->event.fde);
 	srv_conn->event.fde = NULL;
 	imessaging_cleanup(srv_conn->msg_ctx);
-	model_ops->terminate(event_ctx, srv_conn->lp_ctx, reason);
-	talloc_free(srv_conn);
+	TALLOC_FREE(srv_conn);
+	model_ops->terminate(event_ctx, lp_ctx, reason);
 }
 
 /**


-- 
Samba Shared Repository

More information about the samba-cvs mailing list