diff options
| author | Michael Adam <obnox@samba.org> | 2016-03-16 23:57:33 +0100 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2016-03-17 04:31:10 +0100 |
| commit | 44f3dde85740d2b9462df2ed76da41dae0774470 (patch) | |
| tree | 1cc96fc79ffe9425a52856c36786f73afd4b326e /wscript_configure_system_mitkrb5 | |
| parent | a16379c585a6f6e9470a8745b6043be8171eb615 (diff) | |
| download | samba-44f3dde85740d2b9462df2ed76da41dae0774470.tar.gz | |
smbd: fix use after free via conn->fsp_fi_cache
Some instrumentation of the the durable reconnect
code uncovered a problem in the fsp_new, fsp_free pair:
vfs_default_durable_reconnect():
fsp_new() ==> this does DLIST_ADD(fsp->conn->sconn->files, fsp)
if (fsp->oplock_type == LEASE_OPLOCK) {
find_fsp_lease(fsp, &key, l) ==> this fills conn->fsp_fi_cache
if (client guids not equal) {
fsp_free(fsp) ==> this does DLIST_REMOVE(fsp->conn->sconn->files, fsp)
}
so after this code we have the fsp_fi_cache still pointing to the
free'd memory. The next call to find_fsp_lease will use the cache
and hence access the freed memory.
The fix consists in invalidating the cache in fsp_free() instead
of just in its wrapper file_free().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11799
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 17 04:31:10 CET 2016 on sn-devel-144
Diffstat (limited to 'wscript_configure_system_mitkrb5')
0 files changed, 0 insertions, 0 deletions