Attachment 13375 Details for Bug 12836 – git-am fix for master.

[patch] git-am fix for master.

0001-s3-smbd-Fix-a-read-after-free-if-a-chained-SMB1-call.patch (text/plain), 1.28 KB, created by Jeremy Allison on 2017-07-13 19:12:28 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2017-07-13 19:12:28 UTC

Size: 1.28 KB

patch

obsolete

>From df43fc8933199dbe0644a1c5f6f1b5d7a9a8ee44 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Thu, 13 Jul 2017 12:06:58 -0700
>Subject: [PATCH] s3: smbd: Fix a read after free if a chained SMB1 call goes
> async.
>
>Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security
>researcher of Qihoo 360 GearTeam. Thanks a lot!
>
>smb1_parse_chain() incorrectly used talloc_tos() for the memory
>context of the chained smb1 requests. This gets freed between
>requests so if a chained request goes async, the saved request
>array also is freed, which causes a crash on resume.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>---
> source3/smbd/process.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/source3/smbd/process.c b/source3/smbd/process.c
>index a19b8b78b9b..409168eb775 100644
>--- a/source3/smbd/process.c
>+++ b/source3/smbd/process.c
>@@ -1785,7 +1785,7 @@ static void construct_reply_chain(struct smbXsrv_connection *xconn,
> 	unsigned num_reqs;
> 	bool ok;
> 
>-	ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, xconn, encrypted,
>+	ok = smb1_parse_chain(NULL, (uint8_t *)inbuf, xconn, encrypted,
> 			      seqnum, &reqs, &num_reqs);
> 	if (!ok) {
> 		char errbuf[smb_size];
>-- 
>2.13.2.932.g7449e964c-goog
>

Actions: View

Attachments on bug 12836: 13278 | 13279 | 13288 | 13375 | 13386 | 13397