Sorry for my poor english. This problem is same as bug#696. In samba3.0.0/2.2.8a smbd/blocking.c/push_blocking_lock_request(), potential NULL pointer reference when CIFS-client specifing a bad fid. get_fsp_from_pkt() can return NULL, because file_fsp() which is call from get_fsp_from_pkt() can return NULL. push_blocking_lock_request() call get_fsp_from_pkt(), and refer returned- pointer unless NULL-check. To fix, probably add below code. ----------------------------------------- blr->fsp = get_fsp_from_pkt(inbuf); + if(!blr->fsp){ + SAFE_FREE(blr); + return False; + } ----------------------------------------- ---------------------------------------------------------------------- BOOL push_blocking_lock_request( char *inbuf, int length, int lock_timeout, int lock_num, uint16 lock_pid, SMB_BIG_UINT offset, SMB_BIG_UINT count) { (snip) blr->com_type = CVAL(inbuf,smb_com); blr->fsp = get_fsp_from_pkt(inbuf); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ blr->expire_time = (lock_timeout == -1) ? (time_t)-1 : time(NULL) + (time_t) lock_timeout; blr->lock_num = lock_num; blr->lock_pid = lock_pid; blr->offset = offset; blr->count = count; memcpy(blr->inbuf, inbuf, length); blr->length = length; /* Add a pending lock record for this. */ status = brl_lock(blr->fsp->dev, blr->fsp->inode, blr->fsp->fnum, ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^ lock_pid, sys_getpid(), blr->fsp->conn->cnum, ^^^^^^^^^^ offset, count, PENDING_LOCK); ----------------------------------------------------------------------
Sorry, my fix code is wrong. It cause memory leak. ----------------------------------------- blr->fsp = get_fsp_from_pkt(inbuf); + if(!blr->fsp){ + free_blocking_lock_record(blr); //SAFE_FREE blr->inbuf and blr. + return False; + } -----------------------------------------
Actually this fix will have no effect because the fsp pointer has already been validated in smbd/reply.c before calling push_blocking_lock_request(). Not a bug. Jeremy.