[PATCH] smbd: Fix a use-after-free
Volker Lendecke
Volker.Lendecke at SerNet.DE
Fri Oct 10 03:57:13 MDT 2014
Hi!
Review&push would be appreciated!
Thanks,
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 1fa8c0d3bb48d7e6077b00d2ec8628538abd754d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 10 Oct 2014 11:40:14 +0200
Subject: [PATCH] smbd: Fix a use-after-free
We can't reference xconn->next after it was talloc_free'ed
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/smbd/server_exit.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/source3/smbd/server_exit.c b/source3/smbd/server_exit.c
index d48a8f2..6a51c24 100644
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -218,7 +218,10 @@ static void exit_server_common(enum server_exit_reason how,
* because smbd_msg_ctx is not a talloc child of smbd_server_conn.
*/
if (client != NULL) {
- for (; xconn != NULL; xconn = xconn->next) {
+ struct smbXsrv_connection *next;
+
+ for (; xconn != NULL; xconn = next) {
+ next = xconn->next;
DLIST_REMOVE(client->connections, xconn);
talloc_free(xconn);
}
--
1.7.1
More information about the samba-technical
mailing list