Bug 11836 - smbc_free_context function deletes freed memory
smbc_free_context function deletes freed memory
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient
unspecified
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-14 07:23 UTC by Noel Power
Modified: 2016-04-14 14:01 UTC (History)
2 users (show)

See Also:


Attachments
patch file for master (2.52 KB, patch)
2016-04-14 07:23 UTC, Noel Power
no flags Details
patch backported to 4.3 (2.88 KB, patch)
2016-04-14 13:51 UTC, Noel Power
nopower: review? (abartlet)
metze: review+
Details
patch backported to 4.4 (2.88 KB, patch)
2016-04-14 13:51 UTC, Noel Power
nopower: review? (abartlet)
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Noel Power 2016-04-14 07:23:39 UTC
Created attachment 11992 [details]
patch file for master

Following valgrind error can be triggered on at least 4.2[*], 4.3, 4.4 and master


==31432== Invalid read of size 8
==31432==    at 0x99B8858: smbc_free_context (libsmb_context.c:260)
==31432==    by 0x5E6401: torture_libsmbclient_opendir (libsmbclient.c:136)
==31432==    by 0x9553F42: wrap_simple_test (torture.c:632)
==31432==    by 0x955366F: internal_torture_run_test (torture.c:442)
==31432==    by 0x95538C3: torture_run_tcase_restricted (torture.c:506)
==31432==    by 0x9553278: torture_run_suite_restricted (torture.c:357)
==31432==    by 0x95531D7: torture_run_suite (torture.c:339)
==31432==    by 0x25FEFF: run_matching (smbtorture.c:93)
==31432==    by 0x260195: torture_run_named_tests (smbtorture.c:143)
==31432==    by 0x261E14: main (smbtorture.c:665)
==31432==  Address 0x18864a70 is 80 bytes inside a block of size 96 free'd
==31432==    at 0x4C2A37C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31432==    by 0x99BCC46: SMBC_closedir_ctx (libsmb_dir.c:922)
==31432==    by 0x99C06CA: SMBC_close_ctx (libsmb_file.c:370)
==31432==    by 0x99B8853: smbc_free_context (libsmb_context.c:259)
==31432==    by 0x5E6401: torture_libsmbclient_opendir (libsmbclient.c:136)
==31432==    by 0x9553F42: wrap_simple_test (torture.c:632)
==31432==    by 0x955366F: internal_torture_run_test (torture.c:442)
==31432==    by 0x95538C3: torture_run_tcase_restricted (torture.c:506)
==31432==    by 0x9553278: torture_run_suite_restricted (torture.c:357)
==31432==    by 0x95531D7: torture_run_suite (torture.c:339)
==31432==    by 0x25FEFF: run_matching (smbtorture.c:93)
==31432==    by 0x260195: torture_run_named_tests (smbtorture.c:143)

[*] not supported for bug fixes
Comment 1 Noel Power 2016-04-14 13:51:25 UTC
Created attachment 11994 [details]
patch backported to 4.3
Comment 2 Noel Power 2016-04-14 13:51:51 UTC
Created attachment 11995 [details]
patch backported to 4.4