Bug 11955 - lib: msghdr_copy() passes an invalid pointer to msghdr_prep_fds()
Summary: lib: msghdr_copy() passes an invalid pointer to msghdr_prep_fds()
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-06-07 20:30 UTC by Jeremy Allison
Modified: 2016-06-16 09:08 UTC (History)
2 users (show)

See Also:

Proposed fix for master. (1.13 KB, patch)
2016-06-07 20:32 UTC, Jeremy Allison
no flags Details
Fix for 4.4.next, 4.3.next. (1.29 KB, patch)
2016-06-08 17:18 UTC, Jeremy Allison
vl: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2016-06-07 20:30:59 UTC
When called with msg == NULL in:

queue_msg() : /source3/lib/unix_msg/unix_msg.c:474 

474		msghdrlen = msghdr_copy(NULL, 0, NULL, 0, iov, iovcnt,
475					fds_copy, num_fds);

msghdr_copy() indirects the first parameter (msg) in:

207		fd_len = msghdr_prep_fds(&msg->msg, msg->buf, bufsize, fds, num_fds);

which (should) crash. Currently on 64-bit Linux it passes an invalid pointer:

msghdr_prep_fds (msg=0x0, buf=0xc8 <error: Cannot access memory at address 0xc8>, bufsize=0, ...)

which as we never indirect inside msghdr_prep_fds() allows the code to continue.

This may crash on other platforms. Fix proposed to master to follow.
Comment 1 Jeremy Allison 2016-06-07 20:32:04 UTC
Created attachment 12165 [details]
Proposed fix for master.

Once this gets accepted I'll autobuild with this bug report added to the commit message, then back-port for 4.4.x, 4.3.x.
Comment 2 Jeremy Allison 2016-06-08 17:18:51 UTC
Created attachment 12167 [details]
Fix for 4.4.next, 4.3.next.

Cherry-picked from master + bug report ref. added to commit message. Applies cleanly to 4.4.next, 4.3.next.
Comment 3 Jeremy Allison 2016-06-09 18:34:33 UTC
Karolin please apply to 4.4.next, 4.3.next. Thanks ! Jeremy.
Comment 4 Karolin Seeger 2016-06-15 09:34:13 UTC
(In reply to Jeremy Allison from comment #3)
Pushed to autobuild-v4-[4|3]-test.
Comment 5 Karolin Seeger 2016-06-16 09:08:50 UTC
(In reply to Karolin Seeger from comment #4)
Pushed to both branches.
Closing out bug report.