[PATCH] Fix valgrind read-after-free error in cli_smb2_close_fnum_recv().
Ralph Böhme
slow at samba.org
Wed Nov 29 18:31:28 UTC 2017
On Wed, Nov 29, 2017 at 10:13:00AM -0800, Jeremy Allison wrote:
> On Wed, Nov 29, 2017 at 07:06:08PM +0100, Ralph Böhme wrote:
> > On Wed, Nov 29, 2017 at 09:33:43AM -0800, Jeremy Allison wrote:
> > > cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which
> > > frees req, then uses the state pointer which was owned by req.
> > >
> > > Please review and push.
> >
> > looks complicated. What about the attached version?
>
> Yeah, I actually coded that up first and rejected it :-), because
> it still leaves the tevent_req_simple_recv_ntstatus(req)
> inside, which (silently) frees the data inside req.
>
> There's no indication in that API that req->state is
> gone, so I wanted to leave tevent_req_simple_recv_ntstatus(req)
> only for cases that look like:
>
> NTSTATUS XXX_recv(struct tevent_req *req)
> {
> return tevent_req_simple_recv_ntstatus(req);
> }
>
> But if you really want your version, I'm good with
> anything that removes the valgrind error really :-).
ok, I see your point. And given the fact that there's another function that gets
it wrong (finddcs_nbt_recv, the caller finddcs_nbt() doesn't seem to be used
anywhere), let's go with your version.
RB: me.
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
More information about the samba-technical
mailing list