diff options
| author | Stefan Metzmacher <metze@samba.org> | 2020-07-03 10:08:08 +0200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2020-07-08 15:54:41 +0000 |
| commit | af51b75c6118787ce8b4b1fcc8198ff15397788b (patch) | |
| tree | add1d284bee331f331de0f69662767ec9b1389e6 | |
| parent | ab14a0d162472899c081c1cb477ac6c888b44e5d (diff) | |
| download | samba-af51b75c6118787ce8b4b1fcc8198ff15397788b.tar.gz | |
s3:smbd: make smbXsrv_client_connection_pass_loop() more robust
Don't leak fds in the error paths.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11898
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
| -rw-r--r-- | source3/smbd/smbXsrv_client.c | 31 |
1 files changed, 22 insertions, 9 deletions
diff --git a/source3/smbd/smbXsrv_client.c b/source3/smbd/smbXsrv_client.c index ece88598672..e0658d87969 100644 --- a/source3/smbd/smbXsrv_client.c +++ b/source3/smbd/smbXsrv_client.c @@ -613,6 +613,15 @@ static void smbXsrv_client_connection_pass_loop(struct tevent_req *subreq) goto next; } + if (rec->num_fds != 1) { + DBG_ERR("MSG_SMBXSRV_CONNECTION_PASS: num_fds[%u]\n", + rec->num_fds); + goto next; + } + + sock_fd = rec->fds[0]; + DBG_DEBUG("MSG_SMBXSRV_CONNECTION_PASS: got sock_fd[%d]\n", sock_fd); + ndr_err = ndr_pull_struct_blob(&rec->buf, rec, &pass_blob, (ndr_pull_flags_fn_t)ndr_pull_smbXsrv_connection_passB); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { @@ -621,7 +630,6 @@ static void smbXsrv_client_connection_pass_loop(struct tevent_req *subreq) goto next; } - DBG_DEBUG("MSG_SMBXSRV_CLIENT_CLOSE\n"); if (DEBUGLVL(DBGLVL_DEBUG)) { NDR_PRINT_DEBUG(smbXsrv_connection_passB, &pass_blob); } @@ -671,26 +679,21 @@ static void smbXsrv_client_connection_pass_loop(struct tevent_req *subreq) goto next; } - SMB_ASSERT(rec->num_fds == 1); - sock_fd = rec->fds[0]; - - DBG_ERR("got connection sockfd[%d]\n", sock_fd); - NDR_PRINT_DEBUG(smbXsrv_connection_passB, &pass_blob); status = smbd_add_connection(client, sock_fd, pass_info0->initial_connect_time, &xconn); if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { + rec->num_fds = 0; DLIST_REMOVE(client->connections, xconn); TALLOC_FREE(xconn); } if (!NT_STATUS_IS_OK(status)) { - close(sock_fd); - sock_fd = -1; DBG_ERR("smbd_add_connection => %s\n", nt_errstr(status)); NDR_PRINT_DEBUG(smbXsrv_connection_passB, &pass_blob); goto next; } + rec->num_fds = 0; /* * Set seq_low to mid received in negprot @@ -704,7 +707,17 @@ static void smbXsrv_client_connection_pass_loop(struct tevent_req *subreq) pass_info0->negotiate_request.length); next: - TALLOC_FREE(rec); + if (rec != NULL) { + uint8_t fd_idx; + + for (fd_idx = 0; fd_idx < rec->num_fds; fd_idx++) { + sock_fd = rec->fds[fd_idx]; + close(sock_fd); + } + rec->num_fds = 0; + + TALLOC_FREE(rec); + } subreq = messaging_filtered_read_send(client, client->raw_ev_ctx, |