sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-02 09:47:23 +03:00
Code

s3: libsmb: Fix use-after-free when accessing pointer *p.

Browse Source 
talloc_asprintf_append() might call realloc()
and therefore move the memory address of "path".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12927

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jul 22 22:45:05 CEST 2017 on sn-devel-144

(cherry picked from commit 890137cffedcaf88a9ff808c01335ee14fcfd8da)

Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Mon Jul 24 02:24:33 CEST 2017 on sn-devel-144
This commit is contained in:
Thomas Jarosch 2017-07-22 09:36:18 -07:00 committed by Karolin Seeger
parent 378886b89c
commit 6155eba0db
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
source3/libsmb/libsmb_dir.c
View File

@ -379,9 +379,9 @@ SMBC_opendir_ctx(SMBCCTX *context,
char *options = NULL;
char *workgroup = NULL;
char *path = NULL;
size_t path_len = 0;
uint16_t mode;
uint16_t port = 0;
char *p = NULL;
SMBCSRV *srv = NULL;
SMBCFILE *dir = NULL;
struct sockaddr_storage rem_ss;
@ -802,7 +802,7 @@ SMBC_opendir_ctx(SMBCCTX *context,
/* Now, list the files ... */
p = path + strlen(path);
path_len = strlen(path);
path = talloc_asprintf_append(path, "\\*");
if (!path) {
if (dir) {
@ -844,7 +844,7 @@ SMBC_opendir_ctx(SMBCCTX *context,
* got would have been EINVAL rather
* than ENOTDIR.
*/
*p = '\0'; /* restore original path */
path[path_len] = '\0'; /* restore original path */
if (SMBC_getatr(context, srv, path,
&mode, NULL,