11622 – fix invalid read in smb2cli_ioctl_done()

Bug 11622 - fix invalid read in smb2cli_ioctl_done()

Summary: fix invalid read in smb2cli_ioctl_done()

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	libsmbclient (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	11623
	Show dependency tree / graph

Reported:	2015-11-27 16:38 UTC by Stefan Metzmacher
Modified:	2016-04-20 07:18 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Patch for v4-3-test (6.33 KB, patch) 2016-04-13 17:22 UTC, Stefan Metzmacher	jra: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2015-11-27 16:38:02 UTC

==7913== Invalid read of size 1
==7913==    at 0xC4F23EE: smb2cli_ioctl_done (smb2cli_ioctl.c:245)
==7913==    by 0x747A744: _tevent_req_notify_callback (tevent_req.c:112)
==7913==    by 0x747A817: tevent_req_finish (tevent_req.c:149)
==7913==    by 0x747A93C: tevent_req_trigger (tevent_req.c:206)
==7913==    by 0x7479B2B: tevent_common_loop_immediate
(tevent_immediate.c:135)
==7913==    by 0xA9CB4BE: run_events_poll (events.c:192)
==7913==    by 0xA9CBB32: s3_event_loop_once (events.c:303)
==7913==    by 0x7478C72: _tevent_loop_once (tevent.c:533)
==7913==    by 0x747AACD: tevent_req_poll (tevent_req.c:256)
==7913==    by 0x505315D: tevent_req_poll_ntstatus (tevent_ntstatus.c:109)
==7913==    by 0xA7201F2: cli_tree_connect (cliconnect.c:2764)
==7913==    by 0x165FF7: cm_prepare_connection (winbindd_cm.c:1276)
==7913==  Address 0x16ce24ec is 764 bytes inside a block of size 813 alloc'd
==7913==    at 0x4C29110: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==7913==    by 0x768A0C1: __talloc_with_prefix (talloc.c:668)
==7913==    by 0x768A27E: _talloc_pool (talloc.c:721)
==7913==    by 0x768A41E: _talloc_pooled_object (talloc.c:790)
==7913==    by 0x747A594: _tevent_req_create (tevent_req.c:66)
==7913==    by 0xCF6E2FA: read_packet_send (async_sock.c:414)
==7913==    by 0xCF6EB54: read_smb_send (read_smb.c:54)
==7913==    by 0xC4DA146: smbXcli_conn_receive_next (smbXcli_base.c:1027)
==7913==    by 0xC4DA02D: smbXcli_req_set_pending (smbXcli_base.c:978)
==7913==    by 0xC4DF776: smb2cli_req_compound_submit (smbXcli_base.c:3166)
==7913==    by 0xC4DFC1D: smb2cli_req_send (smbXcli_base.c:3268)
==7913==    by 0xC4F2210: smb2cli_ioctl_send (smb2cli_ioctl.c:149)
==7913==

Comment 1 Stefan Metzmacher 2016-04-13 17:22:58 UTC

Created attachment 11989 [details]
Patch for v4-3-test

Comment 2 Jeremy Allison 2016-04-13 17:52:05 UTC

Comment on attachment 11989 [details]
Patch for v4-3-test

LGTM.

Comment 3 Jeremy Allison 2016-04-13 17:52:27 UTC

Reassigning to Karolin for inclusion in 4.3.next.

Comment 4 Karolin Seeger 2016-04-18 10:45:29 UTC

Pushed to autobuild-v4-3-test.

Comment 5 Karolin Seeger 2016-04-20 07:18:33 UTC

(In reply to Karolin Seeger from comment #4)
Pushed to v4-3-test.
Closing out bug report.

Thanks!