diff options
author | Jeremy Allison <jra@samba.org> | 2017-07-13 12:06:58 -0700 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2017-07-25 01:31:58 +0200 |
commit | 189a71748c9636097c7d56c65ef521590c96e397 (patch) | |
tree | 8da902326e2a70f53a696e0c47dbf4265130afa2 | |
parent | 9ff57c8760b04f6c913778d94de5cc84b7767aac (diff) | |
download | samba-189a71748c9636097c7d56c65ef521590c96e397.tar.gz |
s3: smbd: Fix a read after free if a chained SMB1 call goes async.
Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security
researcher of Qihoo 360 GearTeam. Thanks a lot!
smb1_parse_chain() incorrectly used talloc_tos() for the memory
context of the chained smb1 requests. This gets freed between
requests so if a chained request goes async, the saved request
array also is freed, which causes a crash on resume.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5fe76a5474823ed7602938a07c9c43226a7882a3)
Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Tue Jul 25 01:31:58 CEST 2017 on sn-devel-144
-rw-r--r-- | source3/smbd/process.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 47fd16fe6ff..b1b2b92e4c8 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1784,7 +1784,7 @@ static void construct_reply_chain(struct smbXsrv_connection *xconn, unsigned num_reqs; bool ok; - ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, xconn, encrypted, + ok = smb1_parse_chain(xconn, (uint8_t *)inbuf, xconn, encrypted, seqnum, &reqs, &num_reqs); if (!ok) { char errbuf[smb_size]; |