|
|
c40e03 |
From a751c29e4ff3fbdf573252b791775fd805cd7759 Mon Sep 17 00:00:00 2001
|
|
|
c40e03 |
From: Jeremy Allison <jra@samba.org>
|
|
|
c40e03 |
Date: Wed, 29 Nov 2017 09:21:30 -0800
|
|
|
c40e03 |
Subject: [PATCH] s3: libsmb: Fix valgrind read-after-free error in
|
|
|
c40e03 |
cli_smb2_close_fnum_recv().
|
|
|
c40e03 |
MIME-Version: 1.0
|
|
|
c40e03 |
Content-Type: text/plain; charset=UTF-8
|
|
|
c40e03 |
Content-Transfer-Encoding: 8bit
|
|
|
c40e03 |
|
|
|
c40e03 |
cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which
|
|
|
c40e03 |
frees req, then uses the state pointer which was owned by req.
|
|
|
c40e03 |
|
|
|
c40e03 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13171
|
|
|
c40e03 |
|
|
|
c40e03 |
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
|
c40e03 |
Reviewed-by: Ralph Böhme <slow@samba.org>
|
|
|
c40e03 |
|
|
|
c40e03 |
Autobuild-User(master): Jeremy Allison <jra@samba.org>
|
|
|
c40e03 |
Autobuild-Date(master): Thu Nov 30 05:47:12 CET 2017 on sn-devel-144
|
|
|
c40e03 |
|
|
|
c40e03 |
(cherry picked from commit 5c8032b6b8ce4439b3ef8f43a62a419f081eb787)
|
|
|
c40e03 |
---
|
|
|
c40e03 |
source3/libsmb/cli_smb2_fnum.c | 8 ++++++--
|
|
|
c40e03 |
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
c40e03 |
|
|
|
c40e03 |
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
|
|
|
c40e03 |
index 5d46d543002..237e6bb2b54 100644
|
|
|
c40e03 |
--- a/source3/libsmb/cli_smb2_fnum.c
|
|
|
c40e03 |
+++ b/source3/libsmb/cli_smb2_fnum.c
|
|
|
c40e03 |
@@ -449,8 +449,12 @@ NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req)
|
|
|
c40e03 |
{
|
|
|
c40e03 |
struct cli_smb2_close_fnum_state *state = tevent_req_data(
|
|
|
c40e03 |
req, struct cli_smb2_close_fnum_state);
|
|
|
c40e03 |
- NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
|
|
|
c40e03 |
- state->cli->raw_status = status;
|
|
|
c40e03 |
+ NTSTATUS status = NT_STATUS_OK;
|
|
|
c40e03 |
+
|
|
|
c40e03 |
+ if (tevent_req_is_nterror(req, &status)) {
|
|
|
c40e03 |
+ state->cli->raw_status = status;
|
|
|
c40e03 |
+ }
|
|
|
c40e03 |
+ tevent_req_received(req);
|
|
|
c40e03 |
return status;
|
|
|
c40e03 |
}
|
|
|
c40e03 |
|
|
|
c40e03 |
--
|
|
|
c40e03 |
2.15.0.531.g2ccb3012c9-goog
|
|
|
c40e03 |
|