Bug 11955 - lib: msghdr_copy() passes an invalid pointer to msghdr_prep_fds()
Summary: lib: msghdr_copy() passes an invalid pointer to msghdr_prep_fds()
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-07 20:30 UTC by Jeremy Allison
Modified: 2016-06-16 09:08 UTC (History)
2 users (show)

See Also:

Attachments
Proposed fix for master. (1.13 KB, patch)
2016-06-07 20:32 UTC, Jeremy Allison 		no flags Details
Fix for 4.4.next, 4.3.next. (1.29 KB, patch)
2016-06-08 17:18 UTC, Jeremy Allison 		vl: review+
Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2016-06-07 20:30:59 UTC 
When called with msg == NULL in:

queue_msg() : /source3/lib/unix_msg/unix_msg.c:474 

474		msghdrlen = msghdr_copy(NULL, 0, NULL, 0, iov, iovcnt,
475					fds_copy, num_fds);

msghdr_copy() indirects the first parameter (msg) in:

207		fd_len = msghdr_prep_fds(&msg->msg, msg->buf, bufsize, fds, num_fds);

which (should) crash. Currently on 64-bit Linux it passes an invalid pointer:

msghdr_prep_fds (msg=0x0, buf=0xc8 <error: Cannot access memory at address 0xc8>, bufsize=0, ...)

which as we never indirect inside msghdr_prep_fds() allows the code to continue.

This may crash on other platforms. Fix proposed to master to follow.
Comment 1 Jeremy Allison 2016-06-07 20:32:04 UTC 
Created attachment 12165 [details]
Proposed fix for master.

Once this gets accepted I'll autobuild with this bug report added to the commit message, then back-port for 4.4.x, 4.3.x.
Comment 2 Jeremy Allison 2016-06-08 17:18:51 UTC 
Created attachment 12167 [details]
Fix for 4.4.next, 4.3.next.

Cherry-picked from master + bug report ref. added to commit message. Applies cleanly to 4.4.next, 4.3.next.
Comment 3 Jeremy Allison 2016-06-09 18:34:33 UTC 
Karolin please apply to 4.4.next, 4.3.next. Thanks ! Jeremy.
Comment 4 Karolin Seeger 2016-06-15 09:34:13 UTC 
(In reply to Jeremy Allison from comment #3)
Pushed to autobuild-v4-[4|3]-test.
Comment 5 Karolin Seeger 2016-06-16 09:08:50 UTC 
(In reply to Karolin Seeger from comment #4)
Pushed to both branches.
Closing out bug report.

Thanks!