mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s3:smbd: Fix invalid memory free
"Error: BAD_FREE (CWE-590): samba-4.20.0rc2/source3/smbd/smb1_process.c:1485: array_free: ""smb1_srv_send"" frees array ""errbuf"". 1483| char errbuf[smb_size]; 1484| error_packet(errbuf, 0, 0, status, __LINE__, __FILE__); 1485|-> if (!smb1_srv_send(req->xconn, 1486| errbuf, 1487| true," Pair-Programmed-With: Ralph Boehme <slow@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
This commit is contained in:
parent
94b8fa4134
commit
0131e4737c
@ -139,11 +139,7 @@ static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote
|
||||
|
||||
void srv_free_enc_buffer(struct smbXsrv_connection *xconn, char *buf)
|
||||
{
|
||||
/* We know this is an smb buffer, and we
|
||||
* didn't malloc, only copy, for a keepalive,
|
||||
* so ignore non-session messages. */
|
||||
|
||||
if(CVAL(buf,0)) {
|
||||
if (buf == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -217,6 +217,7 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
|
||||
size_t len = 0;
|
||||
ssize_t ret;
|
||||
char *buf_out = buffer;
|
||||
char *encrypted_buf = NULL;
|
||||
|
||||
if (!NT_STATUS_IS_OK(xconn->transport.status)) {
|
||||
/*
|
||||
@ -240,7 +241,7 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
|
||||
}
|
||||
|
||||
if (do_encrypt) {
|
||||
NTSTATUS status = srv_encrypt_buffer(xconn, buffer, &buf_out);
|
||||
NTSTATUS status = srv_encrypt_buffer(xconn, buffer, &encrypted_buf);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(0, ("send_smb: SMB encryption failed "
|
||||
"on outgoing packet! Error %s\n",
|
||||
@ -248,11 +249,13 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
|
||||
ret = -1;
|
||||
goto out;
|
||||
}
|
||||
buf_out = encrypted_buf;
|
||||
}
|
||||
|
||||
len = smb_len_large(buf_out) + 4;
|
||||
|
||||
ret = write_data(xconn->transport.sock, buf_out, len);
|
||||
srv_free_enc_buffer(xconn, encrypted_buf);
|
||||
if (ret <= 0) {
|
||||
int saved_errno = errno;
|
||||
/*
|
||||
@ -265,11 +268,9 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
|
||||
(int)ret, strerror(saved_errno)));
|
||||
errno = saved_errno;
|
||||
|
||||
srv_free_enc_buffer(xconn, buf_out);
|
||||
goto out;
|
||||
}
|
||||
|
||||
srv_free_enc_buffer(xconn, buf_out);
|
||||
out:
|
||||
smbd_unlock_socket(xconn);
|
||||
return (ret > 0);
|
||||
|
Loading…
Reference in New Issue
Block a user