Attachment 17180 Details for Bug 14989 – git-am fix for 4.16.rcNext, 4.15.next.

[patch] git-am fix for 4.16.rcNext, 4.15.next.

0001-smbd-Fix-a-use-after-free.patch (text/plain), 1.48 KB, created by Jeremy Allison on 2022-03-01 21:50:07 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2022-03-01 21:50:07 UTC

Size: 1.48 KB

patch

obsolete

>From e32b4407fecde2fb67887607cd2c9ee8b0c09cf1 Mon Sep 17 00:00:00 2001
>From: Volker Lendecke <vl@samba.org>
>Date: Wed, 23 Feb 2022 15:56:41 +0100
>Subject: [PATCH] smbd: Fix a use-after-free
>
>stat_cache_lookup() allocates its result on top of talloc_tos().
>filename_convert_smb1_search_path() creates a talloc_stackframe(),
>which makes the names which were supposed to be allocated on the "ctx"
>parameter of filename_convert_smb1_search_path() go away too
>early. Reparent the results from stat_cache_lookup() properly.
>
>Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989
>
>Signed-off-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>
>Autobuild-User(master): Jeremy Allison <jra@samba.org>
>Autobuild-Date(master): Tue Mar  1 20:59:55 UTC 2022 on sn-devel-184
>
>(cherry picked from commit 8c97743511e4d53f795f2469a28aabfb96da0dfa)
>---
> source3/smbd/filename.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
>diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
>index ef382b43bd6..9146bf07ddc 100644
>--- a/source3/smbd/filename.c
>+++ b/source3/smbd/filename.c
>@@ -1133,6 +1133,13 @@ NTSTATUS unix_convert(TALLOC_CTX *mem_ctx,
> 					  &state->name,
> 					  state->smb_fname->twrp,
> 					  &state->smb_fname->st);
>+		/*
>+		 * stat_cache_lookup() allocates on talloc_tos() even
>+		 * when !found, reparent correctly
>+		 */
>+		talloc_steal(state->smb_fname, state->smb_fname->base_name);
>+		talloc_steal(state->mem_ctx, state->dirpath);
>+
> 		if (found) {
> 			goto done;
> 		}
>-- 
>2.32.0
>

Flags:

vl: review+

Actions: View

Attachments on bug 14989: 17180