The Samba-Bugzilla – Attachment 9852 Details for
Bug 10554
request backport for 'smb1 - fix read of deleted memory in reply_writeclose()'
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.1.6
0001-s3-smbd-smb1-fix-read-of-deleted-memory-in-reply_wri.patch (text/plain), 2.68 KB, created by
Noel Power
on 2014-04-15 11:55:08 UTC
(
hide
)
Description:
patch for 4.1.6
Filename:
MIME Type:
Creator:
Noel Power
Created:
2014-04-15 11:55:08 UTC
Size:
2.68 KB
patch
obsolete
>From 2c211f70aabf0a6896c5741fc1af92f73ddda0d8 Mon Sep 17 00:00:00 2001 >From: Noel Power <nopower@suse.com> >Date: Thu, 27 Feb 2014 12:07:11 -0800 >Subject: [PATCH] s3: smbd - smb1 - fix read of deleted memory in > reply_writeclose(). > >While running smbtorture test raw.write under valgrind an "Invalid read" >was reported in methid reply_writeclose, it seems after closing a file >sometime later we try to access it again. > >Signed-off-by: Noel Power <noel.power@suse.com> >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Mon Mar 3 20:42:40 CET 2014 on sn-devel-104 >(cherry picked from commit 04e434661fa6b5f13776f925b0a7cbadb6b6d006) >--- > source3/smbd/reply.c | 24 +++++++++++++----------- > 1 file changed, 13 insertions(+), 11 deletions(-) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index 6b926fb..cbea49e 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -5194,7 +5194,7 @@ void reply_writeclose(struct smb_request *req) > mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4)); > data = (const char *)req->buf + 1; > >- if (!fsp->print_file) { >+ if (fsp->print_file == NULL) { > init_strict_lock_struct(fsp, (uint64_t)req->smbpid, > (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, > &lock); >@@ -5208,6 +5208,10 @@ void reply_writeclose(struct smb_request *req) > > nwritten = write_file(req,fsp,data,startpos,numtowrite); > >+ if (fsp->print_file == NULL) { >+ SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock); >+ } >+ > set_close_write_time(fsp, mtime); > > /* >@@ -5215,34 +5219,32 @@ void reply_writeclose(struct smb_request *req) > * JRA. > */ > >+ DEBUG(3,("writeclose %s num=%d wrote=%d (numopen=%d)\n", >+ fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten, >+ (numtowrite) ? conn->num_files_open - 1 : conn->num_files_open)); >+ > if (numtowrite) { > DEBUG(3,("reply_writeclose: zero length write doesn't close " > "file %s\n", fsp_str_dbg(fsp))); > close_status = close_file(req, fsp, NORMAL_CLOSE); >+ fsp = NULL; > } > >- DEBUG(3,("writeclose %s num=%d wrote=%d (numopen=%d)\n", >- fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten, >- conn->num_files_open)); >- > if(((nwritten == 0) && (numtowrite != 0))||(nwritten < 0)) { > reply_nterror(req, NT_STATUS_DISK_FULL); >- goto strict_unlock; >+ goto out; > } > > if(!NT_STATUS_IS_OK(close_status)) { > reply_nterror(req, close_status); >- goto strict_unlock; >+ goto out; > } > > reply_outbuf(req, 1, 0); > > SSVAL(req->outbuf,smb_vwv0,nwritten); > >-strict_unlock: >- if (numtowrite && !fsp->print_file) { >- SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock); >- } >+out: > > END_PROFILE(SMBwriteclose); > return; >-- >1.8.1.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9852">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
metze
:
review+
Actions:
View
Attachments on
bug 10554
: 9852 |
9853