[PATCH 12/12] s3: smbd: smb2-sessionsetup. Fix use after free when the sessionsetup request state is freed before struct smbXsrv_session struct.
abartlet at samba.org
abartlet at samba.org
Sun Sep 7 17:30:38 MDT 2014
From: Jeremy Allison <jra at samba.org>
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
source3/smbd/smb2_sesssetup.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index b31df84..69905c4 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -477,6 +477,12 @@ static int smbd_smb2_session_setup_state_destructor(struct smbd_smb2_session_set
state->smb2req->session = talloc_move(state->smb2req, &state->session);
/*
+ * We own the session now - we don't need the
+ * tag talloced on session that keeps track of session independently.
+ */
+ TALLOC_FREE(state->pp_self_ref);
+
+ /*
* We've made this session owned by the current request.
* Ensure that any outstanding requests don't also refer
* to it.
--
2.1.0
More information about the samba-technical
mailing list