The Samba-Bugzilla – Bug 11955
lib: msghdr_copy() passes an invalid pointer to msghdr_prep_fds()
Last modified: 2016-06-16 09:08:50 UTC
When called with msg == NULL in:
queue_msg() : /source3/lib/unix_msg/unix_msg.c:474
474 msghdrlen = msghdr_copy(NULL, 0, NULL, 0, iov, iovcnt,
475 fds_copy, num_fds);
msghdr_copy() indirects the first parameter (msg) in:
207 fd_len = msghdr_prep_fds(&msg->msg, msg->buf, bufsize, fds, num_fds);
which (should) crash. Currently on 64-bit Linux it passes an invalid pointer:
msghdr_prep_fds (msg=0x0, buf=0xc8 <error: Cannot access memory at address 0xc8>, bufsize=0, ...)
which as we never indirect inside msghdr_prep_fds() allows the code to continue.
This may crash on other platforms. Fix proposed to master to follow.
Created attachment 12165 [details]
Proposed fix for master.
Once this gets accepted I'll autobuild with this bug report added to the commit message, then back-port for 4.4.x, 4.3.x.
Created attachment 12167 [details]
Fix for 4.4.next, 4.3.next.
Cherry-picked from master + bug report ref. added to commit message. Applies cleanly to 4.4.next, 4.3.next.
Karolin please apply to 4.4.next, 4.3.next. Thanks ! Jeremy.
(In reply to Jeremy Allison from comment #3)
Pushed to autobuild-v4-[4|3]-test.
(In reply to Karolin Seeger from comment #4)
Pushed to both branches.
Closing out bug report.