[PATCH] s4-smb_server: Fix a use after free.
Andreas Schneider
asn at samba.org
Fri Nov 8 08:14:35 MST 2013
If we haven't allocated the smbsrv_session then we should not free it.
Signed-off-by: Andreas Schneider <asn at samba.org>
---
source4/smb_server/smb/sesssetup.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
index b26c128..4ebc0c4 100644
--- a/source4/smb_server/smb/sesssetup.c
+++ b/source4/smb_server/smb/sesssetup.c
@@ -415,6 +415,7 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se
{
NTSTATUS status;
struct smbsrv_session *smb_sess = NULL;
+ bool is_smb_sess_new = false;
struct sesssetup_spnego_state *s = NULL;
uint16_t vuid;
struct tevent_req *subreq;
@@ -465,6 +466,7 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se
status = NT_STATUS_INSUFFICIENT_RESOURCES;
goto failed;
}
+ is_smb_sess_new = true;
} else {
smb_sess = smbsrv_session_find_sesssetup(req->smb_conn, vuid);
}
@@ -510,7 +512,9 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se
nomem:
status = NT_STATUS_NO_MEMORY;
failed:
- talloc_free(smb_sess);
+ if (is_smb_sess_new) {
+ talloc_free(smb_sess);
+ }
status = nt_status_squash(status);
smbsrv_sesssetup_backend_send(req, sess, status);
}
--
1.8.4
More information about the samba-technical
mailing list