[PATCH] Don't modify memory reference provided by value
Stefan Metzmacher
metze at samba.org
Tue Feb 6 21:34:50 UTC 2018
Hi Swen,
>> what problem are you trying to solve here?
>>
>> talloc_memdup() is at least wrong here! (The same applies to the
>> push_blocking_lock_request() patch).
>
> Sorry, I tried to explain it as good as I can.
>
> The problem is, that memory is accessed after the ownership moved.
> ...and even a use-after-free situation could occur.
Why is moving the ownership a problem?
We move the request from the short term talloc_stackframe
to more long term memory to enable async processing.
Where do you see a use-after-free?
I agree this code is not nice, but I don't see a bug.
> Here's the possible call stack
>
> void reply_write_and_X(struct smb_request *req)
> {
> .....
> if(numtowrite == 0) {
> nwritten = 0;
> } else {
> if (req->unread_bytes == 0) {
> status = schedule_aio_write_and_X(conn,
> req, <====
> fsp,
> data,
> startpos,
> numtowrite);
>
> ...
> out:
> if (req->unread_bytes) { <=== here we access req which was talloc_moved above
> /* writeX failed. drain socket. */
> if (drain_socket(xconn->transport.sock, req->unread_bytes) !=
> req->unread_bytes) {
> smb_panic("failed to drain pending bytes");
> }
> req->unread_bytes = 0;
> }
> }
talloc_move() is a bit strange, but it's not talloc_free(),
so the memory is still valid.
> and within schedule_aio_write_and_X we do what's wrong
>
> NTSTATUS schedule_aio_write_and_X(connection_struct *conn,
> struct smb_request *smbreq, <=====
> files_struct *fsp, const char *data,
> off_t startpos,
> size_t numtowrite)
> {
> ...
> aio_ex->smbreq = talloc_move(aio_ex, &smbreq); <=== zero'ing smbreq is
> only having local
> effect but the
> stealing part
> is problematic
> ...
> }
The same here.
> Am I missing something ?
> ...and why is talloc_memdup wrong ?
talloc_memdup() only copies the struct itself,
but doesn't take care of talloc children.
We really want talloc_move/talloc_steal here.
which moves the smb_request from the short term
talloc_stackframe() memory to more long term memory
for async processing.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180206/33916456/signature.sig>
More information about the samba-technical
mailing list