From e32b4407fecde2fb67887607cd2c9ee8b0c09cf1 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 23 Feb 2022 15:56:41 +0100
Subject: [PATCH] smbd: Fix a use-after-free

stat_cache_lookup() allocates its result on top of talloc_tos().
filename_convert_smb1_search_path() creates a talloc_stackframe(),
which makes the names which were supposed to be allocated on the "ctx"
parameter of filename_convert_smb1_search_path() go away too
early. Reparent the results from stat_cache_lookup() properly.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar  1 20:59:55 UTC 2022 on sn-devel-184

(cherry picked from commit 8c97743511e4d53f795f2469a28aabfb96da0dfa)
---
 source3/smbd/filename.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index ef382b43bd6..9146bf07ddc 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -1133,6 +1133,13 @@ NTSTATUS unix_convert(TALLOC_CTX *mem_ctx,
 					  &state->name,
 					  state->smb_fname->twrp,
 					  &state->smb_fname->st);
+		/*
+		 * stat_cache_lookup() allocates on talloc_tos() even
+		 * when !found, reparent correctly
+		 */
+		talloc_steal(state->smb_fname, state->smb_fname->base_name);
+		talloc_steal(state->mem_ctx, state->dirpath);
+
 		if (found) {
 			goto done;
 		}
-- 
2.32.0