[PATCH] Patch for bug 11535
Ralph Böhme
rb at sernet.de
Thu Oct 1 00:32:39 UTC 2015
On Wed, Sep 30, 2015 at 05:14:28PM -0700, Jeremy Allison wrote:
> On Wed, Sep 30, 2015 at 05:06:33PM -0700, Jeremy Allison wrote:
> > On Wed, Sep 30, 2015 at 04:49:52PM -0700, Ralph Böhme wrote:
> > > On Wed, Sep 30, 2015 at 04:46:11PM -0700, Jeremy Allison wrote:
> > > > Oh, so it's not me :-). done: calls TALLOC_FREE(dirpath);
> > > > which is safe on NULL.
> > > >
> > > > So yeah, I'd still love to see the reproducer level 10
> > > > log with added debugs :-).
> > >
> > > working on it, currently trying to figure out which test(s) from the
> > > 35 tests that test stream renames trigger this by running them
> > > individually. We survived 10 so far. ;)
> >
> > Oh, it *is* still my fault :-). Coverity found it:
> >
> > New stream code -> goto done (dirpath == NULL):
> >
> > 1000 done:
> > 1001 /* Add back the stream if one was stripped off originally. */
> > 1002 if (stream != NULL) {
> > 1003 smb_fname->stream_name = stream;
> > 1004
> > 1005 /* Check path now that the base_name has been converted. */
> > 1006 status = build_stream_path(ctx, conn, smb_fname);
> > 1007 if (!NT_STATUS_IS_OK(status)) {
> > 1008 goto fail;
> > 1009 }
> > 1010 }
> >
> > build_stream_path() fails - calls goto fail;
> >
> > *Now* we get the NULL dirpath deref :-).
hey, you were faster, I was just about to hit reply and report the
same when your mail came in. :)
> So how about this ? There are lots of places
> that indirect dirpath without checking, so
> this might be safer.
>
> What do you think ?
unix_convert() is a function out of hell and it may be safe to have
both patches. :)
But other then that, rb: me.
-slow
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kontakt@sernet.de
More information about the samba-technical
mailing list