Bug 13935 - AddressSanitizer: stack-use-after-scope in ndr_push_spoolss_SetPrinterInfo8
Summary: AddressSanitizer: stack-use-after-scope in ndr_push_spoolss_SetPrinterInfo8
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Printing (show other bugs)
Version: 4.10.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: printing-maintainers
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-08 22:20 UTC by Gary Lockyer
Modified: 2019-05-13 22:50 UTC (History)
0 users

See Also:


Attachments
ASAN error report (4.29 KB, text/plain)
2019-05-08 22:20 UTC, Gary Lockyer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Gary Lockyer 2019-05-08 22:20:16 UTC
Created attachment 15131 [details]
ASAN error report

==27165==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffc12312b10 at pc 0x7f5f2219512b bp 0x7ffc123126e0 sp 0x7ffc123126d0
READ of size 4 at 0x7ffc12312b10 thread T0
    #0 0x7f5f2219512a in ndr_push_spoolss_SetPrinterInfo8 librpc/gen_ndr/ndr_spoolss.c:8466
    #1 0x7f5f2219512a in ndr_push_spoolss_SetPrinterInfo librpc/gen_ndr/ndr_spoolss.c:8639
    #2 0x7f5f221c782a in ndr_push_spoolss_SetPrinterInfoCtr librpc/gen_ndr/ndr_spoolss.c:9002


To reproduce:
* configure with --address-sanitizer enabled
* make TESTS="samba3.rpc.spoolss.printer"
Comment 1 Andrew Bartlett 2019-05-13 22:50:22 UTC
The info and info8 variables in the torture suite need to be in the calling scope, not in the switch.

	switch (level) {
	case 2: {
		union spoolss_PrinterInfo info;
		torture_assert(tctx, test_GetPrinter_level(tctx, b, handle, 2, &info), "");
		torture_assert(tctx, PrinterInfo_to_SetPrinterInfo(tctx, &info, 2, &sinfo), "");

		info_ctr.level = 2;
		info_ctr.info = sinfo;

		break;
	}
	case 8: {
		struct spoolss_SetPrinterInfo8 info8;

		info8.devmode_ptr = 0;

		info_ctr.level = 8;
		info_ctr.info.info8 = &info8;

		break;
	}

Torture code only, not security relevant.