From 3da7e6a079e4f52ffd6eb0bd403759f1f642ccab Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 30 Oct 2015 09:01:28 +0100 Subject: [PATCH 1/2] s3-smbd: Fix use after issue in smbd_smb2_request_dispatch() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11581 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Fri Oct 30 19:49:47 CET 2015 on sn-devel-104 (cherry picked from commit db9e10d071793b91b3f3d40225a8634e3c34f65e) --- source3/smbd/smb2_server.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 40f3f2d..0ae3fc8 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1703,13 +1703,6 @@ static NTSTATUS smbd_smb2_request_process_cancel(struct smbd_smb2_request *req) search_message_id = BVAL(inhdr, SMB2_HDR_MESSAGE_ID); search_async_id = BVAL(inhdr, SMB2_HDR_PID); - /* - * we don't need the request anymore - * cancel requests never have a response - */ - DLIST_REMOVE(xconn->smb2.requests, req); - TALLOC_FREE(req); - for (cur = xconn->smb2.requests; cur; cur = cur->next) { const uint8_t *outhdr; uint64_t message_id; @@ -2350,6 +2343,14 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) req->profile, _INBYTES(req)); return_value = smbd_smb2_request_process_cancel(req); SMBPROFILE_IOBYTES_ASYNC_END(req->profile, 0); + + /* + * We don't need the request anymore cancel requests never + * have a response. + */ + DLIST_REMOVE(xconn->smb2.requests, req); + TALLOC_FREE(req); + break; case SMB2_OP_KEEPALIVE: -- 1.9.1 From dac60380b15fb457b608ffa4f247dc35dd095cae Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 2 Nov 2015 13:40:24 +0100 Subject: [PATCH 2/2] s3:smb2_server: make the logic of SMB2_CANCEL DLIST_REMOVE() clearer BUG: https://bugzilla.samba.org/show_bug.cgi?id=11581 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison (cherry picked from commit ad85c8905184d125a2a38569f7955ccbf443ebcd) --- source3/smbd/smb2_server.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 0ae3fc8..09633a3 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1703,6 +1703,14 @@ static NTSTATUS smbd_smb2_request_process_cancel(struct smbd_smb2_request *req) search_message_id = BVAL(inhdr, SMB2_HDR_MESSAGE_ID); search_async_id = BVAL(inhdr, SMB2_HDR_PID); + /* + * We don't need the request anymore cancel requests never + * have a response. + * + * We defer the TALLOC_FREE(req) to the caller. + */ + DLIST_REMOVE(xconn->smb2.requests, req); + for (cur = xconn->smb2.requests; cur; cur = cur->next) { const uint8_t *outhdr; uint64_t message_id; @@ -2347,8 +2355,10 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) /* * We don't need the request anymore cancel requests never * have a response. + * + * smbd_smb2_request_process_cancel() already called + * DLIST_REMOVE(xconn->smb2.requests, req); */ - DLIST_REMOVE(xconn->smb2.requests, req); TALLOC_FREE(req); break; -- 1.9.1