[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Nov 14 01:51:00 MST 2013
On Friday 08 November 2013 23:45:08 Stefan Metzmacher wrote:
> > commit 12a2230581b3ff5c7a29819532652d7ddfe61521
> > Author: Andreas Schneider <asn at samba.org>
> > Date: Fri Nov 8 16:14:35 2013 +0100
> >
> > s4-smb_server: Fix a use after free.
> >
> > If we haven't allocated the smbsrv_session then we should not free it.
> >
> > Signed-off-by: Andreas Schneider <asn at samba.org>
> > Reviewed-by: Jeremy Allison <jra at samba.org>
> >
> > diff --git a/source4/smb_server/smb/sesssetup.c
> > b/source4/smb_server/smb/sesssetup.c index b26c128..4ebc0c4 100644
> > --- a/source4/smb_server/smb/sesssetup.c
> > +++ b/source4/smb_server/smb/sesssetup.c
> > @@ -415,6 +415,7 @@ static void sesssetup_spnego(struct smbsrv_request
> > *req, union smb_sesssetup *se>
> > {
> >
> > NTSTATUS status;
> > struct smbsrv_session *smb_sess = NULL;
> >
> > + bool is_smb_sess_new = false;
> >
> > struct sesssetup_spnego_state *s = NULL;
> > uint16_t vuid;
> > struct tevent_req *subreq;
> >
> > @@ -465,6 +466,7 @@ static void sesssetup_spnego(struct smbsrv_request
> > *req, union smb_sesssetup *se>
> > status = NT_STATUS_INSUFFICIENT_RESOURCES;
> > goto failed;
> >
> > }
> >
> > + is_smb_sess_new = true;
> >
> > } else {
> >
> > smb_sess = smbsrv_session_find_sesssetup(req->smb_conn, vuid);
> >
> > }
> >
> > @@ -510,7 +512,9 @@ static void sesssetup_spnego(struct smbsrv_request
> > *req, union smb_sesssetup *se>
> > nomem:
> > status = NT_STATUS_NO_MEMORY;
> >
> > failed:
> > - talloc_free(smb_sess);
> > + if (is_smb_sess_new) {
> > + talloc_free(smb_sess);
> > + }
> >
> > status = nt_status_squash(status);
> > smbsrv_sesssetup_backend_send(req, sess, status);
>
> I think we need to talloc_steal(req, smb_sess) here.
> This is similar to
> https://git.samba.org/?p=samba.git;a=commitdiff;h=25494628a2e977568de0f63460
> 2ebe893d0a5b88
I don't think so. We just allocated the smb_sess structure here and it is not
set or attached to anything yet, so we can free it.
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list