s3: smbd: Fix a read after free if a chained SMB1 call goes async.

Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security researcher of Qihoo 360 GearTeam. Thanks a lot! smb1_parse_chain() incorrectly used talloc_tos() for the memory context of the chained smb1 requests. This gets freed between requests so if a chained request goes async, the saved request array also is freed, which causes a crash on resume. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
author: Jeremy Allison <jra@samba.org> 2017-07-13 12:06:58 -0700
committer: Jeremy Allison <jra@samba.org> 2017-07-15 02:16:18 +0200
commit: 5fe76a5474823ed7602938a07c9c43226a7882a3 (patch)
tree: 1371eaf50eb76238474330eee2cf4a36ca87757c /source3/smbd/process.c
parent: 7f4e7cfd1b0bd917395c631a1a8195fffd13bbad (diff)
download: samba-5fe76a5474823ed7602938a07c9c43226a7882a3.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index a19b8b78b9b..3765739d9c4 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1785,7 +1785,7 @@ static void construct_reply_chain(struct smbXsrv_connection *xconn,
 	unsigned num_reqs;
 	bool ok;
 
-	ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, xconn, encrypted,
+	ok = smb1_parse_chain(xconn, (uint8_t *)inbuf, xconn, encrypted,
 			      seqnum, &reqs, &num_reqs);
 	if (!ok) {
 		char errbuf[smb_size];
author	Jeremy Allison <jra@samba.org>	2017-07-13 12:06:58 -0700
committer	Jeremy Allison <jra@samba.org>	2017-07-15 02:16:18 +0200
commit	5fe76a5474823ed7602938a07c9c43226a7882a3 (patch)
tree	1371eaf50eb76238474330eee2cf4a36ca87757c /source3/smbd/process.c
parent	7f4e7cfd1b0bd917395c631a1a8195fffd13bbad (diff)
download	samba-5fe76a5474823ed7602938a07c9c43226a7882a3.tar.gz