The Samba-Bugzilla – Attachment 17180 Details for
Bug 14989
Fix a use-after-free in SMB1 server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.16.rcNext, 4.15.next.
0001-smbd-Fix-a-use-after-free.patch (text/plain), 1.48 KB, created by
Jeremy Allison
on 2022-03-01 21:50:07 UTC
(
hide
)
Description:
git-am fix for 4.16.rcNext, 4.15.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2022-03-01 21:50:07 UTC
Size:
1.48 KB
patch
obsolete
>From e32b4407fecde2fb67887607cd2c9ee8b0c09cf1 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Wed, 23 Feb 2022 15:56:41 +0100 >Subject: [PATCH] smbd: Fix a use-after-free > >stat_cache_lookup() allocates its result on top of talloc_tos(). >filename_convert_smb1_search_path() creates a talloc_stackframe(), >which makes the names which were supposed to be allocated on the "ctx" >parameter of filename_convert_smb1_search_path() go away too >early. Reparent the results from stat_cache_lookup() properly. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Tue Mar 1 20:59:55 UTC 2022 on sn-devel-184 > >(cherry picked from commit 8c97743511e4d53f795f2469a28aabfb96da0dfa) >--- > source3/smbd/filename.c | 7 +++++++ > 1 file changed, 7 insertions(+) > >diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c >index ef382b43bd6..9146bf07ddc 100644 >--- a/source3/smbd/filename.c >+++ b/source3/smbd/filename.c >@@ -1133,6 +1133,13 @@ NTSTATUS unix_convert(TALLOC_CTX *mem_ctx, > &state->name, > state->smb_fname->twrp, > &state->smb_fname->st); >+ /* >+ * stat_cache_lookup() allocates on talloc_tos() even >+ * when !found, reparent correctly >+ */ >+ talloc_steal(state->smb_fname, state->smb_fname->base_name); >+ talloc_steal(state->mem_ctx, state->dirpath); >+ > if (found) { > goto done; > } >-- >2.32.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 14989
: 17180