The Samba-Bugzilla – Attachment 13397 Details for
Bug 12836
Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.7.0, 4.6.next, 4.5.next, 4.4.next
0001-s3-smbd-Fix-a-read-after-free-if-a-chained-SMB1-call.patch (text/plain), 1.39 KB, created by
Jeremy Allison
on 2017-07-17 22:05:23 UTC
(
hide
)
Description:
git-am fix for 4.7.0, 4.6.next, 4.5.next, 4.4.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2017-07-17 22:05:23 UTC
Size:
1.39 KB
patch
obsolete
>From 9a34d324db3a1edda9a671283d3754b6e6c55881 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 13 Jul 2017 12:06:58 -0700 >Subject: [PATCH] s3: smbd: Fix a read after free if a chained SMB1 call goes > async. > >Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security >researcher of Qihoo 360 GearTeam. Thanks a lot! > >smb1_parse_chain() incorrectly used talloc_tos() for the memory >context of the chained smb1 requests. This gets freed between >requests so if a chained request goes async, the saved request >array also is freed, which causes a crash on resume. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 5fe76a5474823ed7602938a07c9c43226a7882a3) >--- > source3/smbd/process.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/smbd/process.c b/source3/smbd/process.c >index a19b8b78b9b..3765739d9c4 100644 >--- a/source3/smbd/process.c >+++ b/source3/smbd/process.c >@@ -1785,7 +1785,7 @@ static void construct_reply_chain(struct smbXsrv_connection *xconn, > unsigned num_reqs; > bool ok; > >- ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, xconn, encrypted, >+ ok = smb1_parse_chain(xconn, (uint8_t *)inbuf, xconn, encrypted, > seqnum, &reqs, &num_reqs); > if (!ok) { > char errbuf[smb_size]; >-- >2.13.2.932.g7449e964c-goog >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
jra
:
review?
(
metze
)
Actions:
View
Attachments on
bug 12836
:
13278
|
13279
|
13288
|
13375
|
13386
| 13397