Created attachment 6745 [details] feed cli_trans a valid pointer for num_data when data is not null In cli_get_posix_fs_info source3/libsmb/clifsinfo.c l.480 cli_trans is called with a num_rdata = NULL then cli_trans forward this null pointer to cli_trans_receiv l.643 of source3/libsmb/clitrans.c in which l.569 this null pointer is dereferenced *num_data = which segfault . This issue is also in master.
Volker, should we fix cli_trans_recv() or the caller?
In this case fixing the caller is the right thing to do as it matches all other uses. This patch is 100% correct (IMHO). I'm raising this to blocker as it needs to get into 3.6.0 (fatal crash bug causing gnome smbclient use to break). I'll attach a git-am version of his patch for 3.6.0 and will push to master. Jeremy.
FYI. I checked all other cases of calling cli_trans() and they all provide a valid rdata_count pointer when sending a non-null rdata pointer. Currently the API is designed to expect this - the aim I think is that the caller should check rdata_count to see if the amount of data is enough (although in this case it's not necessary as the rdata_min value is correctly set to 56). Jeremy.
Created attachment 6746 [details] git-am version of the patch for 3.6.0.
Comment on attachment 6746 [details] git-am version of the patch for 3.6.0. Looks good
Karolin, please pick this for 3.6.0
Pushed to v3-6-test. Closing out bug report. Thanks!