1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

s3:smbd: Fix invalid memory free

"Error: BAD_FREE (CWE-590):
samba-4.20.0rc2/source3/smbd/smb1_process.c:1485: array_free: ""smb1_srv_send"" frees array ""errbuf"".
 1483|   		char errbuf[smb_size];
 1484|   		error_packet(errbuf, 0, 0, status, __LINE__, __FILE__);
 1485|-> 		if (!smb1_srv_send(req->xconn,
 1486|   				   errbuf,
 1487|   				   true,"

Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
This commit is contained in:
Andreas Schneider 2024-06-26 16:11:57 +02:00 committed by Andreas Schneider
parent 94b8fa4134
commit 0131e4737c
2 changed files with 5 additions and 8 deletions

View File

@ -139,11 +139,7 @@ static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote
void srv_free_enc_buffer(struct smbXsrv_connection *xconn, char *buf)
{
/* We know this is an smb buffer, and we
* didn't malloc, only copy, for a keepalive,
* so ignore non-session messages. */
if(CVAL(buf,0)) {
if (buf == NULL) {
return;
}

View File

@ -217,6 +217,7 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
size_t len = 0;
ssize_t ret;
char *buf_out = buffer;
char *encrypted_buf = NULL;
if (!NT_STATUS_IS_OK(xconn->transport.status)) {
/*
@ -240,7 +241,7 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
}
if (do_encrypt) {
NTSTATUS status = srv_encrypt_buffer(xconn, buffer, &buf_out);
NTSTATUS status = srv_encrypt_buffer(xconn, buffer, &encrypted_buf);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("send_smb: SMB encryption failed "
"on outgoing packet! Error %s\n",
@ -248,11 +249,13 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
ret = -1;
goto out;
}
buf_out = encrypted_buf;
}
len = smb_len_large(buf_out) + 4;
ret = write_data(xconn->transport.sock, buf_out, len);
srv_free_enc_buffer(xconn, encrypted_buf);
if (ret <= 0) {
int saved_errno = errno;
/*
@ -265,11 +268,9 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
(int)ret, strerror(saved_errno)));
errno = saved_errno;
srv_free_enc_buffer(xconn, buf_out);
goto out;
}
srv_free_enc_buffer(xconn, buf_out);
out:
smbd_unlock_socket(xconn);
return (ret > 0);