[PATCH] Patch for bug 11535

Jeremy Allison jra at samba.org
Thu Oct 1 00:14:28 UTC 2015


On Wed, Sep 30, 2015 at 05:06:33PM -0700, Jeremy Allison wrote:
> On Wed, Sep 30, 2015 at 04:49:52PM -0700, Ralph Böhme wrote:
> > On Wed, Sep 30, 2015 at 04:46:11PM -0700, Jeremy Allison wrote:
> > > Oh, so it's not me :-). done: calls TALLOC_FREE(dirpath);
> > > which is safe on NULL.
> > > 
> > > So yeah, I'd still love to see the reproducer level 10
> > > log with added debugs :-).
> > 
> > working on it, currently trying to figure out which test(s) from the
> > 35 tests that test stream renames trigger this by running them
> > individually. We survived 10 so far. ;)
> 
> Oh, it *is* still my fault :-). Coverity found it:
> 
> New stream code -> goto done (dirpath == NULL):
> 
>    1000  done:
>    1001         /* Add back the stream if one was stripped off originally. */
>    1002         if (stream != NULL) {
>    1003                 smb_fname->stream_name = stream;
>    1004 
>    1005                 /* Check path now that the base_name has been converted. */
>    1006                 status = build_stream_path(ctx, conn, smb_fname);
>    1007                 if (!NT_STATUS_IS_OK(status)) {
>    1008                         goto fail;
>    1009                 }
>    1010         }
> 
> build_stream_path() fails - calls goto fail;
> 
> *Now* we get the NULL dirpath deref :-). 

So how about this ? There are lots of places
that indirect dirpath without checking, so
this might be safer.

What do you think ?

Jeremy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-smbd-Fix-NULL-pointer-bug-introduced-by-previous-.patch
Type: text/x-diff
Size: 1006 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150930/a74a809c/0001-s3-smbd-Fix-NULL-pointer-bug-introduced-by-previous-.diff>


More information about the samba-technical mailing list