[PATCH] s4-smb_server: Fix a use after free (explanation).

Andreas Schneider asn at samba.org
Fri Nov 8 08:14:34 MST 2013 

If we free the session and haven't allocated it we will end in a
use after free situation and segfault.

==28009== Invalid read of size 8
==28009==    at 0xB2B4CE7: smbsrv_handle_destructor (handle.c:93)
==28009==    by 0x419411C: _talloc_free_internal (talloc.c:986)
==28009==    by 0x4193E5A: _talloc_free_internal (talloc.c:1455)
==28009==    by 0x4193E5A: _talloc_free_internal (talloc.c:1455)
==28009==    by 0x4193E5A: _talloc_free_internal (talloc.c:1455)
==28009==    by 0x4190552: _talloc_free (talloc.c:1455)
==28009==    by 0x40353A7: standard_terminate (process_standard.c:199)
==28009==    by 0x411D1CA: stream_terminate_connection (service_stream.c:85)
==28009==    by 0x4188FCA: epoll_event_loop_once (tevent_epoll.c:736)
==28009==    by 0x4187476: std_event_loop_once (tevent_standard.c:112)
==28009==    by 0x4183EBC: _tevent_loop_once (tevent.c:530)
==28009==    by 0x418405A: tevent_common_loop_wait (tevent.c:634)
==28009==    by 0x4187416: std_event_loop_wait (tevent_standard.c:138)
==28009==    by 0x403559B: standard_accept_connection (process_standard.c:136)
==28009==    by 0x4188FCA: epoll_event_loop_once (tevent_epoll.c:736)
==28009==    by 0x4187476: std_event_loop_once (tevent_standard.c:112)
==28009==    by 0x4183EBC: _tevent_loop_once (tevent.c:530)
==28009==    by 0x418405A: tevent_common_loop_wait (tevent.c:634)
==28009==    by 0x4187416: std_event_loop_wait (tevent_standard.c:138)
==28009==    by 0x40357B5: standard_new_task (process_standard.c:186)
==28009==  Address 0x104c5be0 is 144 bytes inside a block of size 232 free'd
==28009==    at 0x4C28ADC: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==28009==    by 0x41905CB: _talloc_free (talloc.c:1050)
==28009==    by 0xB2B16C4: smbsrv_sesssetup_backend (sesssetup.c:513)
==28009==    by 0xB2A21C5: smbsrv_recv_smb_request (receive.c:444)
==28009==    by 0x5D795B7: packet_recv (packet.c:416)
==28009==    by 0x411D2C0: stream_io_handler (service_stream.c:98)
==28009==    by 0x4188FCA: epoll_event_loop_once (tevent_epoll.c:736)
==28009==    by 0x4187476: std_event_loop_once (tevent_standard.c:112)
==28009==    by 0x4183EBC: _tevent_loop_once (tevent.c:530)
==28009==    by 0x418405A: tevent_common_loop_wait (tevent.c:634)
==28009==    by 0x4187416: std_event_loop_wait (tevent_standard.c:138)
==28009==    by 0x403559B: standard_accept_connection (process_standard.c:136)
==28009==    by 0x4188FCA: epoll_event_loop_once (tevent_epoll.c:736)
==28009==    by 0x4187476: std_event_loop_once (tevent_standard.c:112)
==28009==    by 0x4183EBC: _tevent_loop_once (tevent.c:530)
==28009==    by 0x418405A: tevent_common_loop_wait (tevent.c:634)
==28009==    by 0x4187416: std_event_loop_wait (tevent_standard.c:138)
==28009==    by 0x40357B5: standard_new_task (process_standard.c:186)
==28009==    by 0x411E309: task_server_startup (service_task.c:112)
==28009==    by 0x411CFB2: server_service_startup (service.c:63)

I run into this in the samba4.raw.session test.

TDB_NO_FSYNC=1 make test TESTS="samba4.raw.session" SAMBA_VALGRIND="valgrind --tool=memcheck -v --num-callers=20 --log-file=raw.session.vg.log"

More information about the samba-technical mailing list