FW: [PATCH] Stop use after free (try 2)
Jeremy Allison
jra at samba.org
Fri Sep 27 04:12:56 MDT 2013
On Fri, Sep 27, 2013 at 07:49:55PM +1000, Alistair Leslie-Hughes wrote:
> On 27/09/2013 6:55 PM, Jeremy Allison wrote:
> >> reply_code = "AF";
> >>- reply_arg = session_info->unix_info->unix_name;
> >>+ reply_arg = talloc_strdup(state->gensec_state, session_info->unix_info->unix_name);
> >> talloc_free(session_info);
> >> }
> >> } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
> >>--
> Attached.
>
> Best Regards
> Alistair Leslie-Hughes
> >From 2d79ecfba81c879a67110667808ab21e3952fc8a Mon Sep 17 00:00:00 2001
> From: Alistair Leslie-Hughes <leslie_alistair at hotmail.com>
> Date: Fri, 27 Sep 2013 08:31:00 +1000
> Subject: [PATCH] Stop use after free
>
> Fixes bug #10087
>
> Thanks to Man Min Yan for their analysis and providing a solution to the issue.
> ---
> source3/utils/ntlm_auth.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> index 8d55629..1df615c 100644
> --- a/source3/utils/ntlm_auth.c
> +++ b/source3/utils/ntlm_auth.c
> @@ -1678,7 +1678,11 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
> } else {
>
> reply_code = "AF";
> - reply_arg = session_info->unix_info->unix_name;
> + reply_arg = talloc_strdup(state->gensec_state, session_info->unix_info->unix_name);
> + if (reply_arg == NULL) {
> + reply_code = "BH out of memory";
> + reply_arg = nt_errstr(NT_STATUS_NO_MEMORY);
> + }
> talloc_free(session_info);
> }
> } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
> --
> 1.8.1.2
>
+1 Reviewed-by: Jeremy Allison <jra at samba.org>
Can I get a second Team reviewer ?
Thanks,
Jeremy.
More information about the samba-technical
mailing list