[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Mon Nov 18 01:08:19 MST 2013 

On Thursday 14 November 2013 13:01:27 Stefan  Metzmacher wrote:
> Am 14.11.2013 09:51, schrieb Andreas Schneider:
> > On Friday 08 November 2013 23:45:08 Stefan  Metzmacher wrote:
> >>> commit 12a2230581b3ff5c7a29819532652d7ddfe61521
> >>> Author: Andreas Schneider <asn at samba.org>
> >>> Date:   Fri Nov 8 16:14:35 2013 +0100
> >>> 
> >>>     s4-smb_server: Fix a use after free.
> >>>     
> >>>     If we haven't allocated the smbsrv_session then we should not free
> >>>     it.
> >>>     
> >>>     Signed-off-by: Andreas Schneider <asn at samba.org>
> >>>     Reviewed-by: Jeremy Allison <jra at samba.org>
> >>> 
> >>> diff --git a/source4/smb_server/smb/sesssetup.c
> >>> b/source4/smb_server/smb/sesssetup.c index b26c128..4ebc0c4 100644
> >>> --- a/source4/smb_server/smb/sesssetup.c
> >>> +++ b/source4/smb_server/smb/sesssetup.c
> >>> @@ -415,6 +415,7 @@ static void sesssetup_spnego(struct smbsrv_request
> >>> *req, union smb_sesssetup *se>
> >>> 
> >>>  {
> >>>  
> >>>  	NTSTATUS status;
> >>>  	struct smbsrv_session *smb_sess = NULL;
> >>> 
> >>> +	bool is_smb_sess_new = false;
> >>> 
> >>>  	struct sesssetup_spnego_state *s = NULL;
> >>>  	uint16_t vuid;
> >>>  	struct tevent_req *subreq;
> >>> 
> >>> @@ -465,6 +466,7 @@ static void sesssetup_spnego(struct smbsrv_request
> >>> *req, union smb_sesssetup *se>
> >>> 
> >>>  			status = NT_STATUS_INSUFFICIENT_RESOURCES;
> >>>  			goto failed;
> >>>  		
> >>>  		}
> >>> 
> >>> +		is_smb_sess_new = true;
> >>> 
> >>>  	} else {
> >>>  	
> >>>  		smb_sess = smbsrv_session_find_sesssetup(req->smb_conn, vuid);
> >>>  	
> >>>  	}
> >>> 
> >>> @@ -510,7 +512,9 @@ static void sesssetup_spnego(struct smbsrv_request
> >>> *req, union smb_sesssetup *se>
> >>> 
> >>>  nomem:
> >>>  	status = NT_STATUS_NO_MEMORY;
> >>>  
> >>>  failed:
> >>> -	talloc_free(smb_sess);
> >>> +	if (is_smb_sess_new) {
> >>> +		talloc_free(smb_sess);
> >>> +	}
> >>> 
> >>>  	status = nt_status_squash(status);
> >>>  	smbsrv_sesssetup_backend_send(req, sess, status);
> >> 
> >> I think we need to talloc_steal(req, smb_sess) here.
> >> This is similar to
> >> https://git.samba.org/?p=samba.git;a=commitdiff;h=25494628a2e977568de0f63
> >> 460 2ebe893d0a5b88
> > 
> > I don't think so. We just allocated the smb_sess structure here and it is
> > not set or attached to anything yet, so we can free it.
> 
> Sure, but if we didn't allocate, we need to invalidate the existing session.
> 
> metze

Better?

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-smb_server-Invalidate-the-session-earlier.patch
Type: text/x-patch
Size: 938 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131118/12e314fb/attachment.bin>

More information about the samba-technical mailing list