s3: libsmb: Fix use-after-free when accessing pointer *p.

talloc_asprintf_append() might call realloc()
and therefore move the memory address of "path".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12927

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jul 22 22:45:05 CEST 2017 on sn-devel-144

1 files changed, 3 insertions, 3 deletions

diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
index 4a4e08412bc..8038584138b 100644
--- a/source3/libsmb/libsmb_dir.c
+++ b/source3/libsmb/libsmb_dir.c
@@ -379,9 +379,9 @@ SMBC_opendir_ctx(SMBCCTX *context,
         char *options = NULL;
 	char *workgroup = NULL;
 	char *path = NULL;
+	size_t path_len = 0;
         uint16_t mode;
 	uint16_t port = 0;
-        char *p = NULL;
 	SMBCSRV *srv  = NULL;
 	SMBCFILE *dir = NULL;
 	struct sockaddr_storage rem_ss;
@@ -802,7 +802,7 @@ SMBC_opendir_ctx(SMBCCTX *context,
 
 			/* Now, list the files ... */
 
-                        p = path + strlen(path);
+                        path_len = strlen(path);
 			path = talloc_asprintf_append(path, "\\*");
 			if (!path) {
 				if (dir) {
@@ -844,7 +844,7 @@ SMBC_opendir_ctx(SMBCCTX *context,
                                          * got would have been EINVAL rather
                                          * than ENOTDIR.
                                          */
-                                        *p = '\0'; /* restore original path */
+                                        path[path_len] = '\0'; /* restore original path */
 
                                         if (SMBC_getatr(context, srv, path,
                                                         &mode, NULL,