[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Sat Jul 22 20:46:02 UTC 2017 

The branch, master has been updated
       via  890137c s3: libsmb: Fix use-after-free when accessing pointer *p.
      from  6c45db6 s4-drepl: Use tevent_schedule_immediate() in DsReplicaSync handler

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 890137cffedcaf88a9ff808c01335ee14fcfd8da
Author: Thomas Jarosch <thomas.jarosch at intra2net.com>
Date:   Sat Jul 22 09:36:18 2017 -0700

    s3: libsmb: Fix use-after-free when accessing pointer *p.
    
    talloc_asprintf_append() might call realloc()
    and therefore move the memory address of "path".
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12927
    
    Signed-off-by: Thomas Jarosch <thomas.jarosch at intra2net.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Böhme <slow at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Sat Jul 22 22:45:05 CEST 2017 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
 source3/libsmb/libsmb_dir.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
index 4a4e084..8038584 100644
--- a/source3/libsmb/libsmb_dir.c
+++ b/source3/libsmb/libsmb_dir.c
@@ -379,9 +379,9 @@ SMBC_opendir_ctx(SMBCCTX *context,
         char *options = NULL;
 	char *workgroup = NULL;
 	char *path = NULL;
+	size_t path_len = 0;
         uint16_t mode;
 	uint16_t port = 0;
-        char *p = NULL;
 	SMBCSRV *srv  = NULL;
 	SMBCFILE *dir = NULL;
 	struct sockaddr_storage rem_ss;
@@ -802,7 +802,7 @@ SMBC_opendir_ctx(SMBCCTX *context,
 
 			/* Now, list the files ... */
 
-                        p = path + strlen(path);
+                        path_len = strlen(path);
 			path = talloc_asprintf_append(path, "\\*");
 			if (!path) {
 				if (dir) {
@@ -844,7 +844,7 @@ SMBC_opendir_ctx(SMBCCTX *context,
                                          * got would have been EINVAL rather
                                          * than ENOTDIR.
                                          */
-                                        *p = '\0'; /* restore original path */
+                                        path[path_len] = '\0'; /* restore original path */
 
                                         if (SMBC_getatr(context, srv, path,
                                                         &mode, NULL,


-- 
Samba Shared Repository

More information about the samba-cvs mailing list