diff options
author | Thomas Jarosch <thomas.jarosch@intra2net.com> | 2017-07-22 09:36:18 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2017-07-22 22:45:05 +0200 |
commit | 890137cffedcaf88a9ff808c01335ee14fcfd8da (patch) | |
tree | 6c514f83a543dc184f1c8fc0ed58ce35f769de4c | |
parent | 6c45db6779615f70eb2c81377685c9707d6b548d (diff) | |
download | samba-890137cffedcaf88a9ff808c01335ee14fcfd8da.tar.gz |
s3: libsmb: Fix use-after-free when accessing pointer *p.
talloc_asprintf_append() might call realloc()
and therefore move the memory address of "path".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12927
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jul 22 22:45:05 CEST 2017 on sn-devel-144
-rw-r--r-- | source3/libsmb/libsmb_dir.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c index 4a4e08412bc..8038584138b 100644 --- a/source3/libsmb/libsmb_dir.c +++ b/source3/libsmb/libsmb_dir.c @@ -379,9 +379,9 @@ SMBC_opendir_ctx(SMBCCTX *context, char *options = NULL; char *workgroup = NULL; char *path = NULL; + size_t path_len = 0; uint16_t mode; uint16_t port = 0; - char *p = NULL; SMBCSRV *srv = NULL; SMBCFILE *dir = NULL; struct sockaddr_storage rem_ss; @@ -802,7 +802,7 @@ SMBC_opendir_ctx(SMBCCTX *context, /* Now, list the files ... */ - p = path + strlen(path); + path_len = strlen(path); path = talloc_asprintf_append(path, "\\*"); if (!path) { if (dir) { @@ -844,7 +844,7 @@ SMBC_opendir_ctx(SMBCCTX *context, * got would have been EINVAL rather * than ENOTDIR. */ - *p = '\0'; /* restore original path */ + path[path_len] = '\0'; /* restore original path */ if (SMBC_getatr(context, srv, path, &mode, NULL, |