[SCM] Samba Shared Repository - branch v4-5-test updated

Karolin Seeger kseeger at samba.org
Tue Jul 25 03:33:02 UTC 2017

The branch, v4-5-test has been updated
       via  cfa8c18 s3: smbd: Fix a read after free if a chained SMB1 call goes async.
      from  5d740e4 s3: libsmb: Fix use-after-free when accessing pointer *p.


- Log -----------------------------------------------------------------
commit cfa8c189da1a4dbbf00d76068fbf2a11c0837747
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jul 13 12:06:58 2017 -0700

    s3: smbd: Fix a read after free if a chained SMB1 call goes async.
    Reported to the Samba Team by Yihan Lian <lianyihan at 360.cn>, a security
    researcher of Qihoo 360 GearTeam. Thanks a lot!
    smb1_parse_chain() incorrectly used talloc_tos() for the memory
    context of the chained smb1 requests. This gets freed between
    requests so if a chained request goes async, the saved request
    array also is freed, which causes a crash on resume.
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit 5fe76a5474823ed7602938a07c9c43226a7882a3)
    Autobuild-User(v4-5-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-5-test): Tue Jul 25 05:32:53 CEST 2017 on sn-devel-144


Summary of changes:
 source3/smbd/process.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Changeset truncated at 500 lines:

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 8f097ec..656f1c0 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1784,7 +1784,7 @@ static void construct_reply_chain(struct smbXsrv_connection *xconn,
 	unsigned num_reqs;
 	bool ok;
-	ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, xconn, encrypted,
+	ok = smb1_parse_chain(xconn, (uint8_t *)inbuf, xconn, encrypted,
 			      seqnum, &reqs, &num_reqs);
 	if (!ok) {
 		char errbuf[smb_size];

Samba Shared Repository

More information about the samba-cvs mailing list