[PATCH] smbd: Prevent a crash
Jeremy Allison
jra at samba.org
Thu Mar 10 17:23:06 UTC 2016
On Thu, Mar 10, 2016 at 04:47:03PM +0100, Volker Lendecke wrote:
> Hi!
>
> Review appreciated!
LGTM after careful consideration. Logic is hairy
in there :-). Pushed !
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
> From d798b6132e2e7271326212bfff3a3a6b48a95cb2 Mon Sep 17 00:00:00 2001
> From: Volker Lendecke <vl at samba.org>
> Date: Thu, 10 Mar 2016 08:54:54 +0100
> Subject: [PATCH] smbd: Prevent a crash
>
> smb2srv_session_close_previous_check crashes if
> ndr_pull_smbXsrv_session_globalB fails for some reason. It depends on "is_free"
> to be correctly set. All we can do for an invalid database is to discard the
> record and set it free.
>
> Signed-off-by: Volker Lendecke <vl at samba.org>
> ---
> source3/smbd/smbXsrv_session.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c
> index a5aee8c..cdad47f 100644
> --- a/source3/smbd/smbXsrv_session.c
> +++ b/source3/smbd/smbXsrv_session.c
> @@ -833,6 +833,10 @@ static void smbXsrv_session_global_verify_record(struct db_record *db_rec,
> hex_encode_talloc(frame, key.dptr, key.dsize),
> nt_errstr(status)));
> TALLOC_FREE(frame);
> + *is_free = true;
> + if (was_free) {
> + *was_free = true;
> + }
> return;
> }
>
> @@ -848,6 +852,10 @@ static void smbXsrv_session_global_verify_record(struct db_record *db_rec,
> global_blob.version));
> NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
> TALLOC_FREE(frame);
> + *is_free = true;
> + if (was_free) {
> + *was_free = true;
> + }
> return;
> }
>
> --
> 1.9.1
>
More information about the samba-technical
mailing list