Bug 8341 - libsmbclient segfault when feed the root of a mounted share via an uri
libsmbclient segfault when feed the root of a mounted share via an uri
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: libsmbclient
unspecified
All All
: P5 regression
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-01 22:23 UTC by Alban Browaeys
Modified: 2011-08-02 18:39 UTC (History)
2 users (show)

See Also:


Attachments
feed cli_trans a valid pointer for num_data when data is not null (1.28 KB, text/plain)
2011-08-01 22:23 UTC, Alban Browaeys
no flags Details
git-am version of the patch for 3.6.0. (1.08 KB, patch)
2011-08-02 00:01 UTC, Jeremy Allison
vl: review+
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alban Browaeys 2011-08-01 22:23:24 UTC
Created attachment 6745 [details]
feed cli_trans a valid pointer for num_data when data is not null

In cli_get_posix_fs_info  source3/libsmb/clifsinfo.c l.480 cli_trans is called with a num_rdata = NULL then cli_trans forward this null pointer to cli_trans_receiv l.643 of source3/libsmb/clitrans.c 
in which l.569 this null pointer is dereferenced
*num_data = 
which segfault .

This issue is also in master.
Comment 1 Stefan Metzmacher 2011-08-01 22:46:40 UTC
Volker, should we fix cli_trans_recv() or the caller?
Comment 2 Jeremy Allison 2011-08-01 23:43:18 UTC
In this case fixing the caller is the right thing to do as it matches all other uses. This patch is 100% correct (IMHO).

I'm raising this to blocker as it needs to get into 3.6.0 (fatal crash bug causing gnome smbclient use to break).

I'll attach a git-am version of his patch for 3.6.0 and will push to master.

Jeremy.
Comment 3 Jeremy Allison 2011-08-01 23:51:03 UTC
FYI. I checked all other cases of calling cli_trans() and they all provide a valid rdata_count pointer when sending a non-null rdata pointer. Currently the API is designed to expect this - the aim I think is that the caller should check rdata_count to see if the amount of data is enough (although in this case it's not necessary as the rdata_min value is correctly set to 56).

Jeremy.
Comment 4 Jeremy Allison 2011-08-02 00:01:27 UTC
Created attachment 6746 [details]
git-am version of the patch for 3.6.0.
Comment 5 Stefan Metzmacher 2011-08-02 01:40:55 UTC
Comment on attachment 6746 [details]
git-am version of the patch for 3.6.0.

Looks good
Comment 6 Stefan Metzmacher 2011-08-02 01:41:26 UTC
Karolin, please pick this for 3.6.0
Comment 7 Karolin Seeger 2011-08-02 18:39:19 UTC
Pushed to v3-6-test.
Closing out bug report.

Thanks!