sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Code
1928f08106
samba-mirror/source3
History
Michael Adam 44f3dde857 smbd: fix use after free via conn->fsp_fi_cache 
Some instrumentation of the the durable reconnect
code uncovered a problem in the fsp_new, fsp_free pair:

vfs_default_durable_reconnect():
  fsp_new() ==> this does DLIST_ADD(fsp->conn->sconn->files, fsp)
  if (fsp->oplock_type == LEASE_OPLOCK) {
    find_fsp_lease(fsp, &key, l) ==> this fills conn->fsp_fi_cache
    if (client guids not equal) {
      fsp_free(fsp) ==> this does DLIST_REMOVE(fsp->conn->sconn->files, fsp)
  }

so after this code we have the fsp_fi_cache still pointing to the
free'd memory. The next call to find_fsp_lease will use the cache
and hence access the freed memory.

The fix consists in invalidating the cache in fsp_free() instead
of just in its wrapper file_free().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11799

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 17 04:31:10 CET 2016 on sn-devel-144
2016-03-17 04:31:10 +01:00
..
auth dlist: remove unneeded type argument from DLIST_ADD_END() 2016-02-06 21:48:17 +01:00
build waf: improve iconv checks 2014-01-03 05:04:44 +01:00
client CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames. 2016-03-10 06:52:23 +01:00
exports
groupdb Convert all uses of uint32/16/8 to _t in source3/groupdb. 2015-05-14 19:29:19 +02:00
include s3:lib: Move internal lp_posix_pathnames() call out of utility function synthetic_smb_fname_split(). 2016-03-10 20:55:09 +01:00
intl lang_tdb: don't leak lock_path or data_path onto talloc tos 2014-11-03 23:46:05 +01:00
lib s3:lib: Move internal lp_posix_pathnames() call out of utility function synthetic_smb_fname_split(). 2016-03-10 20:55:09 +01:00
libads s3:libnet:libnet_join: fill in output enctypes and only modify when necessary. 2016-03-14 16:19:23 +01:00
libgpo gpo: don't leak cache_path onto talloc tos 2014-10-06 19:18:05 +02:00
libnet s3:libnet:libnet_join: update msDS-SupportedEncryptionTypes (if required) with machine creds. 2016-03-14 19:38:48 +01:00
librpc s3:librpc:idl:libnet_join: add encryption types to libnet_JoinCtx. 2016-03-14 16:19:23 +01:00
libsmb s3:libsmb: remove unused functions in clispnego.c 2016-03-10 06:52:30 +01:00
locale s3: fix encryption help messages 2015-12-22 02:22:50 +01:00
locking s3:smbd: convert file_struct.posix_open to a bitmap with flags 2015-12-01 20:45:20 +01:00
modules s3: vfs: vfs_xattr_tdb - cleanup. Remove unneeded variable "path". 2016-03-15 11:45:19 +01:00
nmbd dlist: remove unneeded type argument from DLIST_ADD_END() 2016-02-06 21:48:17 +01:00
param loadparm: Remove an unneeded variable 2016-02-19 15:56:19 +01:00
passdb build: mark explicit dependencies on pytalloc-util 2016-03-15 07:08:16 +01:00
printing lib: Remove "includes.h" from util_file.c 2016-02-23 22:03:17 +01:00
profile smbprofile: Add dst pid to smbprofile_cleanup 2015-11-16 14:51:33 +01:00
registry s3:registry: use dbwrap_purge_bystring instead of dbwrap_delete_bystring 2016-03-01 21:50:24 +01:00
rpc_client source3/rpc_client: Fix CID 1273041 Condition is redundant 2015-08-07 01:31:23 +02:00
rpc_server s3/rpc_server/srvsvc/srv_srvsvc_nt.c: change snum to signed int 2016-03-04 21:24:14 +01:00
rpcclient s3: rpcclient: Prevent null ptr access by returning error if no creds available 2015-11-04 22:15:24 +01:00
script s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials 2016-03-10 06:52:27 +01:00
selftest samba3.blackbox.smbclient_auth.plain: Add new regression test case. 2016-03-16 18:29:10 +01:00
services Convert all uint32/16/8 to _t in a couple of include files. 2015-05-12 04:22:55 +02:00
smbd smbd: fix use after free via conn->fsp_fi_cache 2016-03-17 04:31:10 +01:00
stf
torture s3:lib: Move internal lp_posix_pathnames() call out of utility function synthetic_smb_fname_split(). 2016-03-10 20:55:09 +01:00
utils Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth 2016-03-11 22:58:18 +01:00
web
winbindd idmap_hash: only allow the hash module for default idmap config. 2016-03-17 01:08:32 +01:00
.clang_complete lib: Remove tdb_compat 2015-03-17 11:30:52 +01:00
.dmallocrc
.indent.pro
change-log
Doxyfile
mainpage.dox
smbadduser.in
wscript build: fix build when --without-quota specified 2016-03-17 01:08:32 +01:00
wscript_build s3:wscript: pylibsmb depends on pycredentials 2016-03-15 22:13:23 +01:00
wscript_configure_system_ncurses Transition to waf 1.8: wrapped conf.check_cfg 2015-03-16 03:00:07 +01:00