The Samba-Bugzilla – Attachment 10953 Details for
Bug 11186
Crash seen in libsmbclient due to free of server structure during SMBC_getxattr() call
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am cherry-pick from master for 4.2.next, 4.1.next.
0001-s3-libsmbclient-After-getting-attribute-server-ensur.patch (text/plain), 2.64 KB, created by
Jeremy Allison
on 2015-04-14 17:07:21 UTC
(
hide
)
Description:
git-am cherry-pick from master for 4.2.next, 4.1.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2015-04-14 17:07:21 UTC
Size:
2.64 KB
patch
obsolete
>From 25d9ef5ed7758a83382fa0da0bf440f676c8750d Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 31 Mar 2015 14:40:23 -0700 >Subject: [PATCH] s3: libsmbclient: After getting attribute server, ensure main > srv pointer is still valid. > >Bug #11186: Crash seen in libsmbclient due to free of server structure during SMBC_getxattr() call > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=11186 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: David Disseldorp <ddiss@samba.org> > >Autobuild-User(master): David Disseldorp <ddiss@samba.org> >Autobuild-Date(master): Tue Apr 14 02:58:43 CEST 2015 on sn-devel-104 > >(cherry picked from commit 2d4db4a65e1e8924470741378fe249f22196eceb) >--- > source3/libsmb/libsmb_xattr.c | 41 +++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 41 insertions(+) > >diff --git a/source3/libsmb/libsmb_xattr.c b/source3/libsmb/libsmb_xattr.c >index 8e6590a..edc62f3 100644 >--- a/source3/libsmb/libsmb_xattr.c >+++ b/source3/libsmb/libsmb_xattr.c >@@ -2072,6 +2072,25 @@ SMBC_getxattr_ctx(SMBCCTX *context, > if (! srv->no_nt_session) { > ipc_srv = SMBC_attr_server(frame, context, server, port, share, > &workgroup, &user, &password); >+ /* >+ * SMBC_attr_server() can cause the original >+ * server to be removed from the cache. >+ * If so we must error out here as the srv >+ * pointer has been freed. >+ */ >+ if (smbc_getFunctionGetCachedServer(context)(context, >+ server, >+ share, >+ workgroup, >+ user) != srv) { >+#if defined(ECONNRESET) >+ errno = ECONNRESET; >+#else >+ errno = ETIMEDOUT; >+#endif >+ TALLOC_FREE(frame); >+ return -1; >+ } > if (! ipc_srv) { > srv->no_nt_session = True; > } >@@ -2207,9 +2226,31 @@ SMBC_removexattr_ctx(SMBCCTX *context, > } > > if (! srv->no_nt_session) { >+ int saved_errno; > ipc_srv = SMBC_attr_server(frame, context, server, port, share, > &workgroup, &user, &password); >+ saved_errno = errno; >+ /* >+ * SMBC_attr_server() can cause the original >+ * server to be removed from the cache. >+ * If so we must error out here as the srv >+ * pointer has been freed. >+ */ >+ if (smbc_getFunctionGetCachedServer(context)(context, >+ server, >+ share, >+ workgroup, >+ user) != srv) { >+#if defined(ECONNRESET) >+ errno = ECONNRESET; >+#else >+ errno = ETIMEDOUT; >+#endif >+ TALLOC_FREE(frame); >+ return -1; >+ } > if (! ipc_srv) { >+ errno = saved_errno; > srv->no_nt_session = True; > } > } else { >-- >2.2.0.rc0.207.ga3a616c >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
ddiss
:
review+
Actions:
View
Attachments on
bug 11186
:
10924
|
10932
| 10953