mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
dcesrv_core: add dcesrv_assoc_group_common_destructor()
We need to detach dcesrv_iface_state from dcesrv_assoc_group,
if dcesrv_assoc_group is free'ed first.
==381007==ERROR: AddressSanitizer: heap-use-after-free on address 0x50d000004f80 at pc 0x7f15fc12e0ac bp 0x7ffe43267780 sp 0x7ffe43267778
READ of size 8 at 0x50d000004f80 thread T0
#0 0x7f15fc12e0ab in dcesrv_iface_state_destructor ../../librpc/rpc/dcesrv_handles.c:166
#1 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
#2 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
#3 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
#4 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
#5 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
#6 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
#7 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
#8 0x7f15fc0f924c in _talloc_free_internal ../../lib/talloc/talloc.c:1248
#9 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
#10 0x7f15fadac024 in ncacn_terminate_connection ../../source3/rpc_server/rpc_server.c:263
#11 0x7f15fadac024 in dcesrv_transport_terminate_connection ../../source3/rpc_server/rpc_server.c:251
#12 0x7f15fc11e5ef in dcesrv_terminate_connection ../../librpc/rpc/dcesrv_core.c:2968
#13 0x7f15fc125446 in dcesrv_read_fragment_done ../../librpc/rpc/dcesrv_core.c:3196
#14 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
#15 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#16 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
#17 0x7f15fb4f69a1 in _tevent_req_nterror ../../lib/util/tevent_ntstatus.c:46
#18 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done ../../librpc/rpc/dcerpc_util.c:612
#19 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
#20 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#21 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
#22 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
#23 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
#24 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#25 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
#26 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
#27 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
#28 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#29 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
#30 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler ../../libcli/named_pipe_auth/npa_tstream.c:697
#31 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
#32 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#33 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
#34 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
#35 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
#36 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#37 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
#38 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
#39 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
#40 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#41 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
#42 0x7f15fbff9691 in tstream_bsd_readv_handler ../../lib/tsocket/tsocket_bsd.c:2080
#43 0x7f15fbff6f85 in tstream_bsd_fde_handler ../../lib/tsocket/tsocket_bsd.c:1764
#44 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
#45 0x7f15fb7ef185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
#46 0x7f15fb7ef185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
#47 0x7f15fb7e77b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
#48 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
#49 0x7f15fc936b7c in rpc_worker_main ../../source3/rpc_server/rpc_worker.c:1249
#50 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
#51 0x7f15f7c2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#52 0x7f15f7c2a378 in __libc_start_main_impl ../csu/libc-start.c:360
#53 0x5632ae162e64 in _start ../sysdeps/x86_64/start.S:115
0x50d000004f80 is located 112 bytes inside of 136-byte region [0x50d000004f10,0x50d000004f98)
freed by thread T0 here:
#0 0x7f15fcefb418 in free ../../../../libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x7f15fc0f857d in _tc_free_internal ../../lib/talloc/talloc.c:1222
#2 0x7f15fc0f8d0f in _talloc_free_internal ../../lib/talloc/talloc.c:1248
#3 0x7f15fc0f8d0f in talloc_unlink ../../lib/talloc/talloc.c:1473
#4 0x7f15fc934580 in rpc_worker_connection_terminated ../../source3/rpc_server/rpc_worker.c:143
#5 0x7f15fc9310bd in dcesrv_connection_destructor ../../source3/rpc_server/rpc_worker.c:175
#6 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
#7 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
#8 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
#9 0x7f15fc0f924c in _talloc_free_internal ../../lib/talloc/talloc.c:1248
#10 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
#11 0x7f15fadac024 in ncacn_terminate_connection ../../source3/rpc_server/rpc_server.c:263
#12 0x7f15fadac024 in dcesrv_transport_terminate_connection ../../source3/rpc_server/rpc_server.c:251
#13 0x7f15fc11e5ef in dcesrv_terminate_connection ../../librpc/rpc/dcesrv_core.c:2968
#14 0x7f15fc125446 in dcesrv_read_fragment_done ../../librpc/rpc/dcesrv_core.c:3196
#15 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
#16 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#17 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
#18 0x7f15fb4f69a1 in _tevent_req_nterror ../../lib/util/tevent_ntstatus.c:46
#19 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done ../../librpc/rpc/dcerpc_util.c:612
#20 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
#21 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#22 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
#23 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
#24 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
#25 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#26 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
#27 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
#28 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
#29 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#30 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
#31 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler ../../libcli/named_pipe_auth/npa_tstream.c:697
#32 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
#33 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
previously allocated by thread T0 here:
#0 0x7f15fcefc777 in malloc ../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f15fc0fbc57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7f15fc0fd8cf in __talloc ../../lib/talloc/talloc.c:825
#3 0x7f15fc0fd8cf in _talloc_named_const ../../lib/talloc/talloc.c:982
#4 0x7f15fc0fd8cf in _talloc_zero ../../lib/talloc/talloc.c:2421
#5 0x7f15fc93156e in rpc_worker_assoc_group_new ../../source3/rpc_server/rpc_worker.c:681
#6 0x7f15fc93156e in rpc_worker_assoc_group_find ../../source3/rpc_server/rpc_worker.c:730
#7 0x7f15fc120a18 in dcesrv_bind ../../librpc/rpc/dcesrv_core.c:1158
#8 0x7f15fc120a18 in dcesrv_process_ncacn_packet ../../librpc/rpc/dcesrv_core.c:2324
#9 0x7f15fc120a18 in dcesrv_loop_next_packet ../../librpc/rpc/dcesrv_core.c:3222
#10 0x7f15fc933722 in rpc_worker_new_client ../../source3/rpc_server/rpc_worker.c:489
#11 0x7f15fc933722 in rpc_worker_new_client_filter ../../source3/rpc_server/rpc_worker.c:558
#12 0x7f15fbef95ca in messaging_dispatch_waiters ../../source3/lib/messages.c:1343
#13 0x7f15fbefb589 in messaging_dispatch_rec ../../source3/lib/messages.c:1371
#14 0x7f15fbefb589 in messaging_recv_cb ../../source3/lib/messages.c:431
#15 0x7f15faddba9e in msg_dgm_ref_recv ../../lib/messaging/messages_dgm_ref.c:144
#16 0x7f15fadd6cc3 in messaging_dgm_recv ../../lib/messaging/messages_dgm.c:1426
#17 0x7f15fadd7618 in messaging_dgm_read_handler ../../lib/messaging/messages_dgm.c:1316
#18 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
#19 0x7f15fb7ef185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
#20 0x7f15fb7ef185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
#21 0x7f15fb7e77b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
#22 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
#23 0x7f15fc936b7c in rpc_worker_main ../../source3/rpc_server/rpc_worker.c:1249
#24 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
#25 0x7f15f7c2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15765
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher
Andreas Schneider
parent
b9755f8840
commit
5b929860e2
@ -647,6 +647,8 @@ _PUBLIC_ NTSTATUS dcesrv_interface_bind_reject_connect(struct dcesrv_connection_
|
||||
_PUBLIC_ NTSTATUS dcesrv_interface_bind_allow_connect(struct dcesrv_connection_context *context,
|
||||
const struct dcesrv_interface *iface);
|
||||
|
||||
_PUBLIC_ void dcesrv_assoc_group_common_destructor(struct dcesrv_assoc_group *assoc_group);
|
||||
|
||||
_PUBLIC_ NTSTATUS _dcesrv_iface_state_store_assoc(
|
||||
struct dcesrv_call_state *call,
|
||||
uint64_t magic,
|
||||
|
||||
@ -163,10 +163,25 @@ struct dcesrv_iface_state {
|
||||
|
||||
static int dcesrv_iface_state_destructor(struct dcesrv_iface_state *istate)
|
||||
{
|
||||
DLIST_REMOVE(istate->assoc->iface_states, istate);
|
||||
if (istate->assoc != NULL) {
|
||||
DLIST_REMOVE(istate->assoc->iface_states, istate);
|
||||
istate->assoc = NULL;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
void dcesrv_assoc_group_common_destructor(struct dcesrv_assoc_group *assoc_group)
|
||||
{
|
||||
struct dcesrv_iface_state *cur = NULL;
|
||||
struct dcesrv_iface_state *next = NULL;
|
||||
|
||||
for (cur = assoc_group->iface_states; cur != NULL; cur = next) {
|
||||
next = cur->next;
|
||||
cur->assoc = NULL;
|
||||
DLIST_REMOVE(assoc_group->iface_states, cur);
|
||||
}
|
||||
}
|
||||
|
||||
static void *dcesrv_iface_state_find(struct dcesrv_assoc_group *assoc,
|
||||
const struct dcesrv_interface *iface,
|
||||
const struct dom_sid *owner,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user