[SCM] Samba Shared Repository - branch master updated
Stefan (metze) Metzmacher
metze at samba.org
Fri Nov 8 15:45:08 MST 2013
> commit 12a2230581b3ff5c7a29819532652d7ddfe61521
> Author: Andreas Schneider <asn at samba.org>
> Date: Fri Nov 8 16:14:35 2013 +0100
>
> s4-smb_server: Fix a use after free.
>
> If we haven't allocated the smbsrv_session then we should not free it.
>
> Signed-off-by: Andreas Schneider <asn at samba.org>
> Reviewed-by: Jeremy Allison <jra at samba.org>
>
> diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
> index b26c128..4ebc0c4 100644
> --- a/source4/smb_server/smb/sesssetup.c
> +++ b/source4/smb_server/smb/sesssetup.c
> @@ -415,6 +415,7 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se
> {
> NTSTATUS status;
> struct smbsrv_session *smb_sess = NULL;
> + bool is_smb_sess_new = false;
> struct sesssetup_spnego_state *s = NULL;
> uint16_t vuid;
> struct tevent_req *subreq;
> @@ -465,6 +466,7 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se
> status = NT_STATUS_INSUFFICIENT_RESOURCES;
> goto failed;
> }
> + is_smb_sess_new = true;
> } else {
> smb_sess = smbsrv_session_find_sesssetup(req->smb_conn, vuid);
> }
> @@ -510,7 +512,9 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se
> nomem:
> status = NT_STATUS_NO_MEMORY;
> failed:
> - talloc_free(smb_sess);
> + if (is_smb_sess_new) {
> + talloc_free(smb_sess);
> + }
> status = nt_status_squash(status);
> smbsrv_sesssetup_backend_send(req, sess, status);
I think we need to talloc_steal(req, smb_sess) here.
This is similar to
https://git.samba.org/?p=samba.git;a=commitdiff;h=25494628a2e977568de0f634602ebe893d0a5b88
metze
More information about the samba-technical
mailing list