Bug 11836 - smbc_free_context function deletes freed memory
Summary: smbc_free_context function deletes freed memory
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-14 07:23 UTC by Noel Power
Modified: 2016-04-14 14:01 UTC (History)
2 users (show)

See Also:

Attachments
patch file for master (2.52 KB, patch)
2016-04-14 07:23 UTC, Noel Power 		no flags Details
patch backported to 4.3 (2.88 KB, patch)
2016-04-14 13:51 UTC, Noel Power 		npower: review? (abartlet)
metze: review+
Details
patch backported to 4.4 (2.88 KB, patch)
2016-04-14 13:51 UTC, Noel Power 		npower: review? (abartlet)
metze: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Noel Power 2016-04-14 07:23:39 UTC 
Created attachment 11992 [details]
patch file for master

Following valgrind error can be triggered on at least 4.2[*], 4.3, 4.4 and master


==31432== Invalid read of size 8
==31432==    at 0x99B8858: smbc_free_context (libsmb_context.c:260)
==31432==    by 0x5E6401: torture_libsmbclient_opendir (libsmbclient.c:136)
==31432==    by 0x9553F42: wrap_simple_test (torture.c:632)
==31432==    by 0x955366F: internal_torture_run_test (torture.c:442)
==31432==    by 0x95538C3: torture_run_tcase_restricted (torture.c:506)
==31432==    by 0x9553278: torture_run_suite_restricted (torture.c:357)
==31432==    by 0x95531D7: torture_run_suite (torture.c:339)
==31432==    by 0x25FEFF: run_matching (smbtorture.c:93)
==31432==    by 0x260195: torture_run_named_tests (smbtorture.c:143)
==31432==    by 0x261E14: main (smbtorture.c:665)
==31432==  Address 0x18864a70 is 80 bytes inside a block of size 96 free'd
==31432==    at 0x4C2A37C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31432==    by 0x99BCC46: SMBC_closedir_ctx (libsmb_dir.c:922)
==31432==    by 0x99C06CA: SMBC_close_ctx (libsmb_file.c:370)
==31432==    by 0x99B8853: smbc_free_context (libsmb_context.c:259)
==31432==    by 0x5E6401: torture_libsmbclient_opendir (libsmbclient.c:136)
==31432==    by 0x9553F42: wrap_simple_test (torture.c:632)
==31432==    by 0x955366F: internal_torture_run_test (torture.c:442)
==31432==    by 0x95538C3: torture_run_tcase_restricted (torture.c:506)
==31432==    by 0x9553278: torture_run_suite_restricted (torture.c:357)
==31432==    by 0x95531D7: torture_run_suite (torture.c:339)
==31432==    by 0x25FEFF: run_matching (smbtorture.c:93)
==31432==    by 0x260195: torture_run_named_tests (smbtorture.c:143)

[*] not supported for bug fixes
Comment 1 Noel Power 2016-04-14 13:51:25 UTC 
Created attachment 11994 [details]
patch backported to 4.3
Comment 2 Noel Power 2016-04-14 13:51:51 UTC 
Created attachment 11995 [details]
patch backported to 4.4