[PATCH] smbd: Fix a use-after-free

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Oct 10 03:57:13 MDT 2014


Hi!

Review&push would be appreciated!

Thanks,

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 1fa8c0d3bb48d7e6077b00d2ec8628538abd754d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 10 Oct 2014 11:40:14 +0200
Subject: [PATCH] smbd: Fix a use-after-free

We can't reference xconn->next after it was talloc_free'ed

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/smbd/server_exit.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/source3/smbd/server_exit.c b/source3/smbd/server_exit.c
index d48a8f2..6a51c24 100644
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -218,7 +218,10 @@ static void exit_server_common(enum server_exit_reason how,
 	 * because smbd_msg_ctx is not a talloc child of smbd_server_conn.
 	 */
 	if (client != NULL) {
-		for (; xconn != NULL; xconn = xconn->next) {
+		struct smbXsrv_connection *next;
+
+		for (; xconn != NULL; xconn = next) {
+			next = xconn->next;
 			DLIST_REMOVE(client->connections, xconn);
 			talloc_free(xconn);
 		}
-- 
1.7.1



More information about the samba-technical mailing list