Created attachment 17990 [details] fake smb server that triggers a use-after-free in smbclient In this part of do_connect() in source3/libsmb/clidfs.c: status = smbXcli_negprot(c->conn, c->timeout, lp_client_min_protocol(), lp_client_max_protocol()); if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) { ...; cli_shutdown(c); } else if (!NT_STATUS_IS_OK(status)) { ...; cli_shutdown(c); return status; } protocol = smbXcli_conn_protocol(c->conn); The first arm of the "if" is missing a "return status". As a result, if smbclient times out during negotiation, cli_shutdown() can free c but then try to pass c->conn to smbXcli_conn_protocol(). A backtrace (with a debugging malloc that fills freed blocks with 0x7a): #0 0x0000000002365c1c in smbXcli_conn_protocol (conn=0x7a7a7a7a7a7a7a7a) at ../../libcli/smb/smbXcli_base.c:483 #1 0x0000000001cf0d4a in do_connect (ctx=0x80424be90, server=0x80426c452 "x", share=0x8042592e0 "\\\\x\\x", creds=0x804257980, dest_ss=0x27835e8 <dest_ss>, port=0, name_type=32, pcli=0x7fffffffe048) at ../../source3/libsmb/clidfs.c:214 #2 0x0000000001ced971 in cli_cm_connect (ctx=0x80424be90, referring_cli=0x0, server=0x0, share=0x8042592e0 "\\\\x\\x", creds=0x804257980, dest_ss=0x27835e8 <dest_ss>, port=0, name_type=32, pcli=0x7fffffffe0d8) at ../../source3/libsmb/clidfs.c:316 #3 0x0000000001ced706 in cli_cm_open (ctx=0x80424be90, referring_cli=0x0, server=0x0, share=0x8042592e0 "\\\\x\\x", creds=0x804257980, dest_ss=0x27835e8 <dest_ss>, port=0, name_type=32, pcli=0x27835a0 <cli>) at ../../source3/libsmb/clidfs.c:424 #4 0x00000000025533b2 in process (base_directory=0x0) at ../../source3/client/client.c:6180 #5 0x00000000025529ab in main (argc=9, argv=0x7fffffffe6d0) at ../../source3/client/client.c:6727
This bug was referenced in samba master: 86f67f59eafc95ad5312fd711b0295a94237e036
Created attachment 18066 [details] git-am fix for 4.19.next Bug only exists in 4.19.next code.
Comment on attachment 18066 [details] git-am fix for 4.19.next It's missing the reviewed-by thingy, but as we can't fix master and that's all I care about I guess we can just push this as is to 4.19.
Reassigning to Jule for inclusion in 4.19.
Pushed to autobuild-v4-19-test.
This bug was referenced in samba v4-19-test: d70374c347953d64e9a6cf56db178d42f985227d
Closing out bug report. Thanks!
This bug was referenced in samba v4-19-stable (Release samba-4.19.2): d70374c347953d64e9a6cf56db178d42f985227d