[SCM] Samba Shared Repository - branch master updated

Stefan (metze) Metzmacher metze at samba.org
Thu Nov 14 05:01:27 MST 2013 

Am 14.11.2013 09:51, schrieb Andreas Schneider:
> On Friday 08 November 2013 23:45:08 Stefan  Metzmacher wrote:
>>> commit 12a2230581b3ff5c7a29819532652d7ddfe61521
>>> Author: Andreas Schneider <asn at samba.org>
>>> Date:   Fri Nov 8 16:14:35 2013 +0100
>>>
>>>     s4-smb_server: Fix a use after free.
>>>     
>>>     If we haven't allocated the smbsrv_session then we should not free it.
>>>     
>>>     Signed-off-by: Andreas Schneider <asn at samba.org>
>>>     Reviewed-by: Jeremy Allison <jra at samba.org>
>>>
>>> diff --git a/source4/smb_server/smb/sesssetup.c
>>> b/source4/smb_server/smb/sesssetup.c index b26c128..4ebc0c4 100644
>>> --- a/source4/smb_server/smb/sesssetup.c
>>> +++ b/source4/smb_server/smb/sesssetup.c
>>> @@ -415,6 +415,7 @@ static void sesssetup_spnego(struct smbsrv_request
>>> *req, union smb_sesssetup *se> 
>>>  {
>>>  
>>>  	NTSTATUS status;
>>>  	struct smbsrv_session *smb_sess = NULL;
>>>
>>> +	bool is_smb_sess_new = false;
>>>
>>>  	struct sesssetup_spnego_state *s = NULL;
>>>  	uint16_t vuid;
>>>  	struct tevent_req *subreq;
>>>
>>> @@ -465,6 +466,7 @@ static void sesssetup_spnego(struct smbsrv_request
>>> *req, union smb_sesssetup *se> 
>>>  			status = NT_STATUS_INSUFFICIENT_RESOURCES;
>>>  			goto failed;
>>>  		
>>>  		}
>>>
>>> +		is_smb_sess_new = true;
>>>
>>>  	} else {
>>>  	
>>>  		smb_sess = smbsrv_session_find_sesssetup(req->smb_conn, vuid);
>>>  	
>>>  	}
>>>
>>> @@ -510,7 +512,9 @@ static void sesssetup_spnego(struct smbsrv_request
>>> *req, union smb_sesssetup *se> 
>>>  nomem:
>>>  	status = NT_STATUS_NO_MEMORY;
>>>  
>>>  failed:
>>> -	talloc_free(smb_sess);
>>> +	if (is_smb_sess_new) {
>>> +		talloc_free(smb_sess);
>>> +	}
>>>
>>>  	status = nt_status_squash(status);
>>>  	smbsrv_sesssetup_backend_send(req, sess, status);
>>
>> I think we need to talloc_steal(req, smb_sess) here.
>> This is similar to
>> https://git.samba.org/?p=samba.git;a=commitdiff;h=25494628a2e977568de0f63460
>> 2ebe893d0a5b88
> 
> I don't think so. We just allocated the smb_sess structure here and it is not 
> set or attached to anything yet, so we can free it.

Sure, but if we didn't allocate, we need to invalidate the existing session.

metze

More information about the samba-technical mailing list