13171 – valgrind read-after-free error in cli_smb2_close_fnum_recv()

Bug 13171 - valgrind read-after-free error in cli_smb2_close_fnum_recv()

Summary: valgrind read-after-free error in cli_smb2_close_fnum_recv()

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	libsmbclient (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	13159
	Show dependency tree / graph

Reported:	2017-11-29 17:01 UTC by Jeremy Allison
Modified:	2017-12-06 09:29 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
git-am fix for master (1.36 KB, patch) 2017-11-29 22:11 UTC, Jeremy Allison	no flags	Details
git-am fix cherry-pick from master for 4.7.next, 4.6.next (1.55 KB, patch) 2017-11-30 22:09 UTC, Jeremy Allison	slow: review+	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeremy Allison 2017-11-29 17:01:36 UTC

cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which frees req, then uses the state pointer which was owned by req. Patch to follow.

Comment 1 Jeremy Allison 2017-11-29 22:11:27 UTC

Created attachment 13823 [details]
git-am fix for master

Comment 2 Jeremy Allison 2017-11-30 22:09:40 UTC

Created attachment 13831 [details]
git-am fix cherry-pick from master for 4.7.next, 4.6.next

Cherry-picked from master.

Comment 3 Ralph Böhme 2017-11-30 22:15:09 UTC

Reassigning to Karolin for inclusion in 4.6 and 4.7.

Comment 4 Karolin Seeger 2017-12-05 09:32:03 UTC

(In reply to Ralph Böhme from comment #3)
Pushed to autobuild-v4-{7,6}-test.

Comment 5 Karolin Seeger 2017-12-06 09:29:20 UTC

Pushed to both branches.
Closing out bug report.

Thanks!