7027 – winbindd crash in winbindd_dual_ccache_ntlm_auth due to freed memory reference.

Bug 7027 - winbindd crash in winbindd_dual_ccache_ntlm_auth due to freed memory reference.

Summary: winbindd crash in winbindd_dual_ccache_ntlm_auth due to freed memory reference.

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.5
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P3 major
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-01-11 15:49 UTC by Jeremy Allison
Modified:	2010-01-13 02:06 UTC (History)
CC List:	0 users

See Also:

Attachments
git-am patch for 3.5.0. (1.03 KB, patch) 2010-01-11 15:51 UTC, Jeremy Allison	vl: review+	Details
git-am format patch for 3.4.5. (1.03 KB, patch) 2010-01-11 15:55 UTC, Jeremy Allison	no flags	Details
git-am format patch for 3.3.10 (1.02 KB, patch) 2010-01-11 16:58 UTC, Jeremy Allison	no flags	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeremy Allison 2010-01-11 15:49:29 UTC

commit 43c841b6bd92e987109df81b6b8a2b85f21b0181
Author: Volker Lendecke <vl@samba.org>
Date:   Sat Jan 9 20:22:00 2010 +0100

    s3: Fix a segfault in winbindd_dual_ccache_ntlm_auth()

    ntlmssp_update allocates the reply_blob as a child of ntlmssp_state. This means
    with ntlmss_end() it will be gone. winbindd_dual_ccache_ntlm_auth used the blob
    after the ntlmssp_end().

Comment 1 Jeremy Allison 2010-01-11 15:51:37 UTC

Created attachment 5157 [details]
git-am patch for 3.5.0.

Comment 2 Jeremy Allison 2010-01-11 15:55:55 UTC

Created attachment 5158 [details]
git-am format patch for 3.4.5.

Comment 3 Jeremy Allison 2010-01-11 16:58:04 UTC

Created attachment 5159 [details]
git-am format patch for 3.3.10

Comment 4 Jeremy Allison 2010-01-11 17:03:34 UTC

Comment on attachment 5159 [details]
git-am format patch for 3.3.10

Scratch the patches for 3.4.x and 3.3.x.

The msrpc_parse code is different there and doesn't use ntlmssp_state as the talloc patent of the reply_blob. This is why he have not yet seen crashes in 3.4.x or 3.3.x. Patch is still needed for 3.5.0 though.
Jeremy.

Comment 5 Jeremy Allison 2010-01-11 17:04:03 UTC

Comment on attachment 5158 [details]
git-am format patch for 3.4.5.

Scratch the patches for 3.4.x and 3.3.x.

The msrpc_parse code is different there and doesn't use ntlmssp_state as the
talloc patent of the reply_blob. This is why he have not yet seen crashes in
3.4.x or 3.3.x. Patch is still needed for 3.5.0 though.
Jeremy.

Comment 6 Volker Lendecke 2010-01-12 15:30:11 UTC

Comment on attachment 5157 [details]
git-am patch for 3.5.0.

A bit pointless to review given the authorship of this patch :-)

Comment 7 Volker Lendecke 2010-01-12 15:30:55 UTC

Karolin, this needs to go into 3.5.0.

Thanks,

Volker

Comment 8 Karolin Seeger 2010-01-13 02:06:26 UTC

Pushed to v3-5-test.
Closing out bug report.

Thanks!