[PATCH] Patch for bug 11535
Jeremy Allison
jra at samba.org
Thu Oct 1 00:14:28 UTC 2015
On Wed, Sep 30, 2015 at 05:06:33PM -0700, Jeremy Allison wrote:
> On Wed, Sep 30, 2015 at 04:49:52PM -0700, Ralph Böhme wrote:
> > On Wed, Sep 30, 2015 at 04:46:11PM -0700, Jeremy Allison wrote:
> > > Oh, so it's not me :-). done: calls TALLOC_FREE(dirpath);
> > > which is safe on NULL.
> > >
> > > So yeah, I'd still love to see the reproducer level 10
> > > log with added debugs :-).
> >
> > working on it, currently trying to figure out which test(s) from the
> > 35 tests that test stream renames trigger this by running them
> > individually. We survived 10 so far. ;)
>
> Oh, it *is* still my fault :-). Coverity found it:
>
> New stream code -> goto done (dirpath == NULL):
>
> 1000 done:
> 1001 /* Add back the stream if one was stripped off originally. */
> 1002 if (stream != NULL) {
> 1003 smb_fname->stream_name = stream;
> 1004
> 1005 /* Check path now that the base_name has been converted. */
> 1006 status = build_stream_path(ctx, conn, smb_fname);
> 1007 if (!NT_STATUS_IS_OK(status)) {
> 1008 goto fail;
> 1009 }
> 1010 }
>
> build_stream_path() fails - calls goto fail;
>
> *Now* we get the NULL dirpath deref :-).
So how about this ? There are lots of places
that indirect dirpath without checking, so
this might be safer.
What do you think ?
Jeremy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-smbd-Fix-NULL-pointer-bug-introduced-by-previous-.patch
Type: text/x-diff
Size: 1006 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150930/a74a809c/0001-s3-smbd-Fix-NULL-pointer-bug-introduced-by-previous-.diff>
More information about the samba-technical
mailing list