mirror of
https://github.com/samba-team/samba.git
synced 2024-12-25 23:21:54 +03:00
s3: smbd: Fix a read after free if a chained SMB1 call goes async.
Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security researcher of Qihoo 360 GearTeam. Thanks a lot! smb1_parse_chain() incorrectly used talloc_tos() for the memory context of the chained smb1 requests. This gets freed between requests so if a chained request goes async, the saved request array also is freed, which causes a crash on resume. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Jeremy Allison
parent
7f4e7cfd1b
commit
5fe76a5474
@ -1785,7 +1785,7 @@ static void construct_reply_chain(struct smbXsrv_connection *xconn,
|
||||
unsigned num_reqs;
|
||||
bool ok;
|
||||
|
||||
ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, xconn, encrypted,
|
||||
ok = smb1_parse_chain(xconn, (uint8_t *)inbuf, xconn, encrypted,
|
||||
seqnum, &reqs, &num_reqs);
|
||||
if (!ok) {
|
||||
char errbuf[smb_size];
|
||||
|
||||
Loading…
Reference in New Issue
Block a user