The Samba-Bugzilla – Attachment 13412 Details for
Bug 12927
Use-after free can crash libsmbclient code.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.7.0, 4.6.next, 4.5.next.
0001-s3-libsmb-Fix-use-after-free-when-accessing-pointer-.patch (text/plain), 2.19 KB, created by
Jeremy Allison
on 2017-07-22 22:31:51 UTC
(
hide
)
Description:
git-am fix for 4.7.0, 4.6.next, 4.5.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2017-07-22 22:31:51 UTC
Size:
2.19 KB
patch
obsolete
>From 0d01efdcb106938a82d7273277869fcf3003e8c5 Mon Sep 17 00:00:00 2001 >From: Thomas Jarosch <thomas.jarosch@intra2net.com> >Date: Sat, 22 Jul 2017 09:36:18 -0700 >Subject: [PATCH] s3: libsmb: Fix use-after-free when accessing pointer *p. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >talloc_asprintf_append() might call realloc() >and therefore move the memory address of "path". > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12927 > >Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Böhme <slow@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Sat Jul 22 22:45:05 CEST 2017 on sn-devel-144 > >(cherry picked from commit 890137cffedcaf88a9ff808c01335ee14fcfd8da) >--- > source3/libsmb/libsmb_dir.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c >index 4a4e08412bc..8038584138b 100644 >--- a/source3/libsmb/libsmb_dir.c >+++ b/source3/libsmb/libsmb_dir.c >@@ -379,9 +379,9 @@ SMBC_opendir_ctx(SMBCCTX *context, > char *options = NULL; > char *workgroup = NULL; > char *path = NULL; >+ size_t path_len = 0; > uint16_t mode; > uint16_t port = 0; >- char *p = NULL; > SMBCSRV *srv = NULL; > SMBCFILE *dir = NULL; > struct sockaddr_storage rem_ss; >@@ -802,7 +802,7 @@ SMBC_opendir_ctx(SMBCCTX *context, > > /* Now, list the files ... */ > >- p = path + strlen(path); >+ path_len = strlen(path); > path = talloc_asprintf_append(path, "\\*"); > if (!path) { > if (dir) { >@@ -844,7 +844,7 @@ SMBC_opendir_ctx(SMBCCTX *context, > * got would have been EINVAL rather > * than ENOTDIR. > */ >- *p = '\0'; /* restore original path */ >+ path[path_len] = '\0'; /* restore original path */ > > if (SMBC_getatr(context, srv, path, > &mode, NULL, >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 12927
: 13412