[PATCH] Fix a few CIDs

[Stefan Metzmacher]

Hi Volker,

> From c5a9210bbb4a8ae13d040d570832731b04b94121 Mon Sep 17 00:00:00 2001
> From: Volker Lendecke <vl at samba.org>
> Date: Fri, 30 Mar 2018 12:22:57 -0500
> Subject: [PATCH 10/22] tstream: Fix CID 1167982 Unchecked return value
> 
> Signed-off-by: Volker Lendecke <vl at samba.org>
> ---
>  libcli/smb/tstream_smbXcli_np.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/libcli/smb/tstream_smbXcli_np.c b/libcli/smb/tstream_smbXcli_np.c
> index a59db13..7928f40 100644
> --- a/libcli/smb/tstream_smbXcli_np.c
> +++ b/libcli/smb/tstream_smbXcli_np.c
> @@ -1008,9 +1008,8 @@ static void tstream_smbXcli_np_readv_trans_done(struct tevent_req *subreq)
>  	cli_nps->read.ofs = 0;
>  	cli_nps->read.left = received;
>  	cli_nps->read.buf = talloc_array(cli_nps, uint8_t, received);
> -	if (cli_nps->read.buf == NULL) {
> +	if (tevent_req_nomem(cli_nps->read.buf, req)) {
>  		TALLOC_FREE(subreq);
> -		tevent_req_nomem(cli_nps->read.buf, req);
>  		return;
>  	}
>  	memcpy(cli_nps->read.buf, rcvbuf, received);

This looks wrong, in tstream_smbXcli_np_readv_trans_done()
you can also remove TALLOC_FREE(subreq), as that's already called
a few lines above, but in tstream_smbXcli_np_readv_read_done()
we need to keep this or rework smb1cli_readx_recv() to take a memory
context, so that we don't have to defer TALLOC_FREE(subreq);

The problem is that TALLOC_FREE(subreq); will crash as
it will be implicitly free'ed via the callback triggered by
tevent_req_nomem().

metze


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180403/bae6a69a/signature.sig>