[SCM] Samba Shared Repository - branch v4-4-test updated
Karolin Seeger
kseeger at samba.org
Mon Jul 24 23:32:03 UTC 2017
The branch, v4-4-test has been updated
via 189a717 s3: smbd: Fix a read after free if a chained SMB1 call goes async.
from 9ff57c8 s3/smbd: let non_widelink_open() chdir() to directories directly
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test
- Log -----------------------------------------------------------------
commit 189a71748c9636097c7d56c65ef521590c96e397
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jul 13 12:06:58 2017 -0700
s3: smbd: Fix a read after free if a chained SMB1 call goes async.
Reported to the Samba Team by Yihan Lian <lianyihan at 360.cn>, a security
researcher of Qihoo 360 GearTeam. Thanks a lot!
smb1_parse_chain() incorrectly used talloc_tos() for the memory
context of the chained smb1 requests. This gets freed between
requests so if a chained request goes async, the saved request
array also is freed, which causes a crash on resume.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5fe76a5474823ed7602938a07c9c43226a7882a3)
Autobuild-User(v4-4-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-4-test): Tue Jul 25 01:31:58 CEST 2017 on sn-devel-144
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/process.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 47fd16f..b1b2b92 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1784,7 +1784,7 @@ static void construct_reply_chain(struct smbXsrv_connection *xconn,
unsigned num_reqs;
bool ok;
- ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, xconn, encrypted,
+ ok = smb1_parse_chain(xconn, (uint8_t *)inbuf, xconn, encrypted,
seqnum, &reqs, &num_reqs);
if (!ok) {
char errbuf[smb_size];
--
Samba Shared Repository
More information about the samba-cvs
mailing list