Why are we using SMB_MALLOC_ARRAY in smb2_setinfo.c

Stefan (metze) Metzmacher metze at samba.org
Mon Jun 15 00:42:03 MDT 2015


Hi Richard,

the following patch should fix the problem.

For 4.2 we also need commit 78fb663d4c29f9a226c26001492cbc7a9a701668
(smbd: Fix CID 1273088 Resource leak).

metze

Am 14.06.2015 um 19:47 schrieb Richard Sharpe:
> Hi folks,
> 
> In smb2_setinfo.c: smbd_smb2_setinfo_send I see the following code in
> the SMB2_SETINFO_FILE branch of the switch:
> 
>                 data = NULL;
>                 data_size = in_input_buffer.length;
>                 if (data_size > 0) {
>                         data = (char *)SMB_MALLOC_ARRAY(char, data_size);
>                         if (tevent_req_nomem(data, req)) {
>                                 return tevent_req_post(req, ev);
>                         }
>                         memcpy(data, in_input_buffer.data, data_size);
>                 }
> 
> ...
> 
> And then, a little further down there appears to be an early return
> that can leak that memory. This is the
> SMB2_FILE_RENAME_INFORMATION_INTERNAL case.
> 
-------------- next part --------------
From ac1678418443520f0249f95bd618efe7c3d55298 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 15 Jun 2015 08:34:12 +0200
Subject: [PATCH] s3:smb2_setinfo: fix memory leak in the defer_rename case

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11329

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/smbd/smb2_setinfo.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 3f7bbec..930739a 100644
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -168,6 +168,12 @@ struct defer_rename_state {
 	int data_size;
 };
 
+static int talloc_set_destructor(struct defer_rename_state *rename_state)
+{
+	SAFE_FREE(rename_state->data);
+	return 0;
+}
+
 static void defer_rename_done(struct tevent_req *subreq);
 
 static struct tevent_req *delay_rename_for_lease_break(struct tevent_req *req,
@@ -240,6 +246,8 @@ static struct tevent_req *delay_rename_for_lease_break(struct tevent_req *req,
 	rename_state->data = data;
 	rename_state->data_size = data_size;
 
+	talloc_set_destructor(rename_state, defer_rename_state_destructor);
+
 	subreq = dbwrap_record_watch_send(
 				rename_state,
 				ev,
-- 
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150615/9ecf8ba1/attachment.pgp>


More information about the samba-technical mailing list