[PATCH] Patch for bug 11535
Jeremy Allison
jra at samba.org
Thu Oct 1 00:06:33 UTC 2015
On Wed, Sep 30, 2015 at 04:49:52PM -0700, Ralph Böhme wrote:
> On Wed, Sep 30, 2015 at 04:46:11PM -0700, Jeremy Allison wrote:
> > Oh, so it's not me :-). done: calls TALLOC_FREE(dirpath);
> > which is safe on NULL.
> >
> > So yeah, I'd still love to see the reproducer level 10
> > log with added debugs :-).
>
> working on it, currently trying to figure out which test(s) from the
> 35 tests that test stream renames trigger this by running them
> individually. We survived 10 so far. ;)
Oh, it *is* still my fault :-). Coverity found it:
New stream code -> goto done (dirpath == NULL):
1000 done:
1001 /* Add back the stream if one was stripped off originally. */
1002 if (stream != NULL) {
1003 smb_fname->stream_name = stream;
1004
1005 /* Check path now that the base_name has been converted. */
1006 status = build_stream_path(ctx, conn, smb_fname);
1007 if (!NT_STATUS_IS_OK(status)) {
1008 goto fail;
1009 }
1010 }
build_stream_path() fails - calls goto fail;
*Now* we get the NULL dirpath deref :-).
More information about the samba-technical
mailing list