Bug 13171 - valgrind read-after-free error in cli_smb2_close_fnum_recv()
valgrind read-after-free error in cli_smb2_close_fnum_recv()
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient
unspecified
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks: 13159
  Show dependency treegraph
 
Reported: 2017-11-29 17:01 UTC by Jeremy Allison
Modified: 2017-12-06 09:29 UTC (History)
1 user (show)

See Also:


Attachments
git-am fix for master (1.36 KB, patch)
2017-11-29 22:11 UTC, Jeremy Allison
no flags Details
git-am fix cherry-pick from master for 4.7.next, 4.6.next (1.55 KB, patch)
2017-11-30 22:09 UTC, Jeremy Allison
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2017-11-29 17:01:36 UTC
cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which frees req, then uses the state pointer which was owned by req. Patch to follow.
Comment 1 Jeremy Allison 2017-11-29 22:11:27 UTC
Created attachment 13823 [details]
git-am fix for master
Comment 2 Jeremy Allison 2017-11-30 22:09:40 UTC
Created attachment 13831 [details]
git-am fix cherry-pick from master for 4.7.next, 4.6.next

Cherry-picked from master.
Comment 3 Ralph Böhme 2017-11-30 22:15:09 UTC
Reassigning to Karolin for inclusion in 4.6 and 4.7.
Comment 4 Karolin Seeger 2017-12-05 09:32:03 UTC
(In reply to Ralph Böhme from comment #3)
Pushed to autobuild-v4-{7,6}-test.
Comment 5 Karolin Seeger 2017-12-06 09:29:20 UTC
Pushed to both branches.
Closing out bug report.

Thanks!