14332 – double free in smbtree

Bug 14332 - double free in smbtree

Summary: double free in smbtree

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	libsmbclient (show other bugs)
Version:	4.12.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-01 14:08 UTC by Noel Power
Modified:	2020-04-07 08:03 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
patch for master (1.56 KB, patch) 2020-04-01 14:11 UTC, Noel Power	no flags	Details
patch for 4.12 cherry picked from master (1.79 KB, patch) 2020-04-02 08:21 UTC, Noel Power	vl: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Noel Power 2020-04-01 14:08:55 UTC

since 968f72041021ccc0301220833f987dad8e3b9364 there is a double free in smbtree

samba built with modern gcc will show with smbtree -N

something like


WORKGROUP
        \\LIVEBOX                       Livebox
                \\LIVEBOX\USBkk                 Additional storage
                \\LIVEBOX\IPC$                  IPC Service (Livebox)
free(): double free detected in tcache 2
Abandon (core dumped)

seems we call poptFreeContext(pc) multiple times

Comment 1 Noel Power 2020-04-01 14:09:15 UTC

taking it

Comment 2 Noel Power 2020-04-01 14:11:25 UTC

Created attachment 15886 [details]
patch for master

Comment 3 Noel Power 2020-04-01 14:13:49 UTC

https://gitlab.com/samba-team/samba/-/merge_requests/1255

instead of reverting the orig patch 968f72041021ccc0301220833f987dad8e3b9364 I removed the orig existing poptFreeContext(pc) (after the while) and leave the new  poptFreeContext(pc) introduced with 968f72041021ccc0301220833f987dad8e3b9364 at the end of the method (where I think it is more visible)

Comment 4 Noel Power 2020-04-02 08:21:06 UTC

Created attachment 15887 [details]
patch for 4.12 cherry picked from master

Comment 5 Noel Power 2020-04-02 08:23:34 UTC

Assigning to Karolin for inclusion in 4.12

Comment 6 Karolin Seeger 2020-04-03 10:59:41 UTC

(In reply to Noel Power from comment #5)
Pushed to autobuild-v4-12-test.

Comment 7 Karolin Seeger 2020-04-07 08:03:38 UTC

(In reply to Karolin Seeger from comment #6)
Pushed to v4-12-test.
Closing out bug report.

Thanks!