Bug 7027 - winbindd crash in winbindd_dual_ccache_ntlm_auth due to freed memory reference.
winbindd crash in winbindd_dual_ccache_ntlm_auth due to freed memory reference.
Status: RESOLVED FIXED
Product: Samba 3.5
Classification: Unclassified
Component: Winbind
unspecified
All All
: P3 major
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-11 15:49 UTC by Jeremy Allison
Modified: 2010-01-13 02:06 UTC (History)
0 users

See Also:


Attachments
git-am patch for 3.5.0. (1.03 KB, patch)
2010-01-11 15:51 UTC, Jeremy Allison
vl: review+
Details
git-am format patch for 3.4.5. (1.03 KB, patch)
2010-01-11 15:55 UTC, Jeremy Allison
no flags Details
git-am format patch for 3.3.10 (1.02 KB, patch)
2010-01-11 16:58 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2010-01-11 15:49:29 UTC
commit 43c841b6bd92e987109df81b6b8a2b85f21b0181
Author: Volker Lendecke <vl@samba.org>
Date:   Sat Jan 9 20:22:00 2010 +0100

    s3: Fix a segfault in winbindd_dual_ccache_ntlm_auth()

    ntlmssp_update allocates the reply_blob as a child of ntlmssp_state. This means
    with ntlmss_end() it will be gone. winbindd_dual_ccache_ntlm_auth used the blob
    after the ntlmssp_end().
Comment 1 Jeremy Allison 2010-01-11 15:51:37 UTC
Created attachment 5157 [details]
git-am patch for 3.5.0.
Comment 2 Jeremy Allison 2010-01-11 15:55:55 UTC
Created attachment 5158 [details]
git-am format patch for 3.4.5.
Comment 3 Jeremy Allison 2010-01-11 16:58:04 UTC
Created attachment 5159 [details]
git-am format patch for 3.3.10
Comment 4 Jeremy Allison 2010-01-11 17:03:34 UTC
Comment on attachment 5159 [details]
git-am format patch for 3.3.10

Scratch the patches for 3.4.x and 3.3.x.

The msrpc_parse code is different there and doesn't use ntlmssp_state as the talloc patent of the reply_blob. This is why he have not yet seen crashes in 3.4.x or 3.3.x. Patch is still needed for 3.5.0 though.
Jeremy.
Comment 5 Jeremy Allison 2010-01-11 17:04:03 UTC
Comment on attachment 5158 [details]
git-am format patch for 3.4.5.

Scratch the patches for 3.4.x and 3.3.x.

The msrpc_parse code is different there and doesn't use ntlmssp_state as the
talloc patent of the reply_blob. This is why he have not yet seen crashes in
3.4.x or 3.3.x. Patch is still needed for 3.5.0 though.
Jeremy.
Comment 6 Volker Lendecke 2010-01-12 15:30:11 UTC
Comment on attachment 5157 [details]
git-am patch for 3.5.0.

A bit pointless to review given the authorship of this patch :-)
Comment 7 Volker Lendecke 2010-01-12 15:30:55 UTC
Karolin, this needs to go into 3.5.0.

Thanks,

Volker
Comment 8 Karolin Seeger 2010-01-13 02:06:26 UTC
Pushed to v3-5-test.
Closing out bug report.

Thanks!