mirror of
https://github.com/samba-team/samba.git
synced 2025-02-03 13:47:25 +03:00
434e6d4b4b
This fixes a use-after-free in smb_full_audit_create_file() when calling SMB_VFS_CREATE_FILE with fsp->fsp_name as smb_fname. create_file_unixpath() has this comment: * This is really subtle. If someone passes in an smb_fname * where smb_fname actually is taken from fsp->fsp_name, then * the lifetime of these objects is meant to be the same. so it seems legitimate to call CREATE_FILE this way. When CREATE_FILE runs into an error, create_file_unixpath() does a file_free, which also takes fsp->fsp_name with it. smb_full_audit_create_file() wants to log the failure including the smb_fname after NEXT_CREATE_FILE has exited, but this will then use the already free'ed data. Fix by only doing the file_free() on an fsp that create_file_unixpath() created itself. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Feb 10 19:11:33 UTC 2022 on sn-devel-184