From 134b6561c0f182a9025ebe18482e0d26c63c0401 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 13 Jul 2017 12:06:58 -0700
Subject: [PATCH] s3: smbd: Fix a read after free if a chained SMB1 call goes
 async.

Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security
researcher of Qihoo 360 GearTeam. Thanks a lot!

smb1_parse_chain() incorrectly used talloc_tos() for the memory
context of the chained smb1 requests. This gets freed between
requests so if a chained request goes async, the saved request
array also is freed, which causes a crash on resume.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/smbd/process.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index a19b8b78b9b..3765739d9c4 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1785,7 +1785,7 @@ static void construct_reply_chain(struct smbXsrv_connection *xconn,
 	unsigned num_reqs;
 	bool ok;
 
-	ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, xconn, encrypted,
+	ok = smb1_parse_chain(xconn, (uint8_t *)inbuf, xconn, encrypted,
 			      seqnum, &reqs, &num_reqs);
 	if (!ok) {
 		char errbuf[smb_size];
-- 
2.13.2.932.g7449e964c-goog