1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s3: smbd: smb2-sessionsetup. Fix use after free when the sessionsetup request state is freed before struct smbXsrv_session struct.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Sep  8 09:52:23 CEST 2014 on sn-devel-104
This commit is contained in:
Jeremy Allison 2014-09-04 02:08:08 -07:00 committed by Andrew Bartlett
parent b19750dbe9
commit 01a18811cc

View File

@ -476,6 +476,12 @@ static int smbd_smb2_session_setup_state_destructor(struct smbd_smb2_session_set
state->session->status = NT_STATUS_USER_SESSION_DELETED;
state->smb2req->session = talloc_move(state->smb2req, &state->session);
/*
* We own the session now - we don't need the
* tag talloced on session that keeps track of session independently.
*/
TALLOC_FREE(state->pp_self_ref);
/*
* We've made this session owned by the current request.
* Ensure that any outstanding requests don't also refer