FW: [PATCH] Stop use after free (try 2)

Alistair Leslie-Hughes leslie_alistair at hotmail.com
Fri Sep 27 03:49:55 MDT 2013


On 27/09/2013 6:55 PM, Jeremy Allison wrote:
>>   			reply_code = "AF";
>> -			reply_arg = session_info->unix_info->unix_name;
>> +			reply_arg = talloc_strdup(state->gensec_state, session_info->unix_info->unix_name);
>>   			talloc_free(session_info);
>>   		}
>>   	} else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
>> --
Attached.

Best Regards
  Alistair Leslie-Hughes
-------------- next part --------------
>From 2d79ecfba81c879a67110667808ab21e3952fc8a Mon Sep 17 00:00:00 2001
From: Alistair Leslie-Hughes <leslie_alistair at hotmail.com>
Date: Fri, 27 Sep 2013 08:31:00 +1000
Subject: [PATCH] Stop use after free

Fixes bug #10087

Thanks to Man Min Yan for their analysis and providing a solution to the issue.
---
 source3/utils/ntlm_auth.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 8d55629..1df615c 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1678,7 +1678,11 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 		} else {
 
 			reply_code = "AF";
-			reply_arg = session_info->unix_info->unix_name;
+			reply_arg = talloc_strdup(state->gensec_state, session_info->unix_info->unix_name);
+			if (reply_arg == NULL) {
+				reply_code = "BH out of memory";
+				reply_arg = nt_errstr(NT_STATUS_NO_MEMORY);
+			}
 			talloc_free(session_info);
 		}
 	} else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
-- 
1.8.1.2



More information about the samba-technical mailing list