sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-28 01:58:17 +03:00
Code

smbd: reset dangling watch_req pointer in poll_open_done

Browse Source 
We just freed subreq and a pointer to subreq is stored in open_rec->watch_req,
so we must invalidate the pointer.

Otherwise if the poll open timer fires it will do a

  TALLOC_FREE(open_rec->watch_req);

on the dangling pointer which may crash or do something worse like freeing some
other random talloc memory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Ralph Boehme 2021-03-17 16:22:37 +01:00 committed by Jeremy Allison
parent 12b8dbd0bb
commit 065ed088b3
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source3/smbd/open.c
View File

@ -3040,6 +3040,8 @@ static void poll_open_done(struct tevent_req *subreq)
status = share_mode_watch_recv(subreq, NULL, NULL);
TALLOC_FREE(subreq);
open_rec->watch_req = NULL;
DBG_DEBUG("dbwrap_watched_watch_recv returned %s\n",
nt_errstr(status));