From 3d02bf10d7738fe604b524863764de3ca1faa081 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Thu, 4 Nov 2021 22:22:44 +0100

Subject: [PATCH] s3-winexe: Fix winexe core dump (use-after-free)

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14893

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>

Autobuild-Date(master): Fri Nov  5 11:43:57 UTC 2021 on sn-devel-184

(cherry picked from commit e9495d2ed28a26899dc3dd77bdfe56e284980218)

---

 examples/winexe/winexe.c | 16 ++++++++++++----

 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c

index 3e0813a4091..59fb9dbdebb 100644

--- a/examples/winexe/winexe.c

+++ b/examples/winexe/winexe.c

@@ -220,8 +220,6 @@ static void parse_args(int argc, const char *argv[],

 		*port_str = '\0';

 	}

-	poptFreeContext(pc);

-

 	if (options->runas == NULL && options->runas_file != NULL) {

 		struct cli_credentials *runas_cred;

 		const char *user;

@@ -253,9 +251,19 @@ static void parse_args(int argc, const char *argv[],

 	options->credentials = samba_cmdline_get_creds();

-	options->hostname = argv_new[0] + 2;

+	options->hostname = talloc_strdup(mem_ctx, argv_new[0] + 2);

+	if (options->hostname == NULL) {

+		DBG_ERR("Out of memory\n");

+		exit(1);

+	}

 	options->port = port;

-	options->cmd = argv_new[1];

+	options->cmd = talloc_strdup(mem_ctx, argv_new[1]);

+	if (options->cmd == NULL) {

+		DBG_ERR("Out of memory\n");

+		exit(1);

+	}

+

+	poptFreeContext(pc);

 	options->flags = flag_interactive;

 	if (flag_reinstall) {

-- 

2.33.1