The Samba-Bugzilla – Attachment 11995 Details for
Bug 11836
smbc_free_context function deletes freed memory
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch backported to 4.4
0001-s3-libsmb-Fix-illegal-memory-access-after-memory-has.patch (text/plain), 2.88 KB, created by
Noel Power
on 2016-04-14 13:51:51 UTC
(
hide
)
Description:
patch backported to 4.4
Filename:
MIME Type:
Creator:
Noel Power
Created:
2016-04-14 13:51:51 UTC
Size:
2.88 KB
patch
obsolete
>From e1d68bc8fdf0f62df43a9d37fddef909a496aca3 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Wed, 13 Apr 2016 17:57:31 +0100 >Subject: [PATCH] s3:libsmb: Fix illegal memory access after memory has been > deleted. > >smbtorture with the libsmbclient test suite produces the following valgrind >trace > >==31432== Invalid read of size 8 >==31432== at 0x99B8858: smbc_free_context (libsmb_context.c:260) >==31432== by 0x5E6401: torture_libsmbclient_opendir (libsmbclient.c:136) >==31432== by 0x9553F42: wrap_simple_test (torture.c:632) >==31432== by 0x955366F: internal_torture_run_test (torture.c:442) >==31432== by 0x95538C3: torture_run_tcase_restricted (torture.c:506) >==31432== by 0x9553278: torture_run_suite_restricted (torture.c:357) >==31432== by 0x95531D7: torture_run_suite (torture.c:339) >==31432== by 0x25FEFF: run_matching (smbtorture.c:93) >==31432== by 0x260195: torture_run_named_tests (smbtorture.c:143) >==31432== by 0x261E14: main (smbtorture.c:665) >==31432== Address 0x18864a70 is 80 bytes inside a block of size 96 free'd >==31432== at 0x4C2A37C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) >==31432== by 0x99BCC46: SMBC_closedir_ctx (libsmb_dir.c:922) >==31432== by 0x99C06CA: SMBC_close_ctx (libsmb_file.c:370) >==31432== by 0x99B8853: smbc_free_context (libsmb_context.c:259) >==31432== by 0x5E6401: torture_libsmbclient_opendir (libsmbclient.c:136) >==31432== by 0x9553F42: wrap_simple_test (torture.c:632) >==31432== by 0x955366F: internal_torture_run_test (torture.c:442) >==31432== by 0x95538C3: torture_run_tcase_restricted (torture.c:506) >==31432== by 0x9553278: torture_run_suite_restricted (torture.c:357) >==31432== by 0x95531D7: torture_run_suite (torture.c:339) >==31432== by 0x25FEFF: run_matching (smbtorture.c:93) >==31432== by 0x260195: torture_run_named_tests (smbtorture.c:143) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11836 > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Thu Apr 14 13:24:10 CEST 2016 on sn-devel-144 > >(cherry picked from commit 43ea0974613d91548093999015d0f142aa07aeb3) >--- > source3/libsmb/libsmb_context.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c >index 5e31dfb..a956058 100644 >--- a/source3/libsmb/libsmb_context.c >+++ b/source3/libsmb/libsmb_context.c >@@ -256,8 +256,9 @@ smbc_free_context(SMBCCTX *context, > > f = context->internal->files; > while (f) { >+ SMBCFILE *next = f->next; > smbc_getFunctionClose(context)(context, f); >- f = f->next; >+ f = next; > } > context->internal->files = NULL; > >-- >2.1.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11995">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
npower
:
review?
(
abartlet
)
metze
:
review+
Actions:
View
Attachments on
bug 11836
:
11992
|
11994
| 11995