The Samba-Bugzilla – Attachment 13375 Details for
Bug 12836
Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for master.
0001-s3-smbd-Fix-a-read-after-free-if-a-chained-SMB1-call.patch (text/plain), 1.28 KB, created by
Jeremy Allison
on 2017-07-13 19:12:28 UTC
(
hide
)
Description:
git-am fix for master.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2017-07-13 19:12:28 UTC
Size:
1.28 KB
patch
obsolete
>From df43fc8933199dbe0644a1c5f6f1b5d7a9a8ee44 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 13 Jul 2017 12:06:58 -0700 >Subject: [PATCH] s3: smbd: Fix a read after free if a chained SMB1 call goes > async. > >Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security >researcher of Qihoo 360 GearTeam. Thanks a lot! > >smb1_parse_chain() incorrectly used talloc_tos() for the memory >context of the chained smb1 requests. This gets freed between >requests so if a chained request goes async, the saved request >array also is freed, which causes a crash on resume. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/process.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/smbd/process.c b/source3/smbd/process.c >index a19b8b78b9b..409168eb775 100644 >--- a/source3/smbd/process.c >+++ b/source3/smbd/process.c >@@ -1785,7 +1785,7 @@ static void construct_reply_chain(struct smbXsrv_connection *xconn, > unsigned num_reqs; > bool ok; > >- ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, xconn, encrypted, >+ ok = smb1_parse_chain(NULL, (uint8_t *)inbuf, xconn, encrypted, > seqnum, &reqs, &num_reqs); > if (!ok) { > char errbuf[smb_size]; >-- >2.13.2.932.g7449e964c-goog >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12836
:
13278
|
13279
|
13288
|
13375
|
13386
|
13397