sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-27 14:04:05 +03:00
Code
samba-mirror/source3/smbd
History
Jeremy Allison 5fe76a5474 s3: smbd: Fix a read after free if a chained SMB1 call goes async. 
Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security
researcher of Qihoo 360 GearTeam. Thanks a lot!

smb1_parse_chain() incorrectly used talloc_tos() for the memory
context of the chained smb1 requests. This gets freed between
requests so if a chained request goes async, the saved request
array also is freed, which causes a crash on resume.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-15 02:16:18 +02:00
..
notifyd
notifyd: Remove notifyd_handler_done
2017-07-07 00:52:24 +02:00
aio.c
s3/vfs: rename SMB_VFS_STRICT_LOCK to SMB_VFS_STRICT_LOCK_CHECK
2017-07-11 03:37:44 +02:00
avahi_register.c
blocking.c
dlist: remove unneeded type argument from DLIST_ADD_END()
2016-02-06 21:48:17 +01:00
close.c
lib: Add lib/util/server_id.h
2017-01-22 18:30:11 +01:00
conn_idle.c
Fix bug #9733 - smbcontrol close-share is not working.
2013-03-22 20:10:11 +01:00
conn_msg.c
conn.c
Add uint32_t share_access to vuid_cache_entry.
2013-01-09 15:28:48 +11:00
connection.c
s3:smbd: remove unused claim_connection/yield_connection
2012-10-19 12:15:03 +02:00
dfree.c
s3: VFS: Change SMB_VFS_DISK_FREE to use const struct smb_filename * instead of const char *.
2017-06-18 02:49:24 +02:00
dir.c
S3: smbd: Finish plumbing struct smb_filename * through the check_name() stack.
2017-07-01 03:07:11 +02:00
dmapi.c
Convert all uses of uint8/16/32 to _t in source3/smbd.
2015-05-06 04:14:14 +02:00
dnsregister.c
dosmode.c
s3: VFS: Change SMB_VFS_GETXATTR to use const struct smb_filename * instead of const char *.
2017-06-01 02:58:53 +02:00
durable.c
lib: Add lib/util/server_id.h
2017-01-22 18:30:11 +01:00
error.c
Convert all uses of uint8/16/32 to _t in source3/smbd.
2015-05-06 04:14:14 +02:00
fake_file.c
Convert three include files from uint32/16/8 to _t types as well as the source that includes them.
2015-05-01 19:15:10 +02:00
file_access.c
s3: Filenames: Add uint32_t flags parameter to synthetic_smb_fname().
2016-03-24 22:57:16 +01:00
fileio.c
smbd: Fix line length & whitespace in write_file
2016-02-23 22:03:16 +01:00
filename.c
S3: smbd: Finish plumbing struct smb_filename * through the check_name() stack.
2017-07-01 03:07:11 +02:00
files.c
s3: smbd: When deleting an fsp pointer ensure we don't keep any references to it around.
2017-06-22 00:12:49 +02:00
globals.c
printing: use housekeeping period that matches cache time
2016-04-19 09:37:14 +02:00
globals.h
s3/smbd: enable processing SMB2 requests async internally
2017-04-18 22:54:16 +02:00
ipc.c
Convert all uses of uint8/16/32 to _t in source3/smbd.
2015-05-06 04:14:14 +02:00
lanman.c
s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface()
2017-07-10 23:22:10 +02:00
mangle_hash2.c
lib/util: move memcache.[ch] to the toplevel 'samba-util' library
2014-07-18 15:43:33 +02:00
mangle_hash.c
smbd: Convert valid.dat to C code
2015-03-24 00:00:20 +01:00
mangle.c
s3/smbd: convert "mangled names" option to an enum
2017-01-09 19:31:20 +01:00
message.c
Update smbrun to allow for settings environment variables.
2016-10-13 04:26:26 +02:00
msdfs.c
s3: VFS: Change SMB_VFS_GETWD to return struct smb_filename * instead of char *.
2017-07-01 03:07:11 +02:00
negprot.c
auth: Always supply both the remote and local address to the auth subsystem
2017-03-29 02:37:26 +02:00
notify_fam.c
smbd: Allow passing notify filter from inotify and fam
2016-07-18 15:14:11 +02:00
notify_inotify.c
s3: smbd: inotify_map_mask_to_filter incorrectly indexes an array.
2017-04-28 03:18:23 +02:00
notify_msg.c
lib: Add lib/util/server_id.h
2017-01-22 18:30:11 +01:00
notify.c
smbd: Re-register notify requests
2016-07-20 05:21:07 +02:00
ntquotas.c
s3: VFS: Change SMB_VFS_GET_QUOTA to use const struct smb_filename * instead of const char *.
2017-06-18 02:49:25 +02:00
nttrans.c
s3: smbd: We can now remove the 'bool dfs_path' parameter from filename_convert().
2017-05-22 18:41:16 +02:00
open.c
s3/smbd: let non_widelink_open() chdir() to directories directly
2017-07-07 20:11:22 +02:00
oplock_irix.c
param: rename lp function and variable from 'lockdir' to 'lock_directory'
2014-02-07 16:19:10 -08:00
oplock_linux.c
Wrap setting leases in become_root()/unbecome_root() to ensure correct delivery of signals.
2013-07-31 17:07:58 -07:00
oplock.c
s3/smbd: fix exclusive lease optimisation
2017-05-28 14:50:18 +02:00
password.c
loadparm: rename lp[cfg]_pathname to lp[cfg]_path for consistency with docs
2014-02-03 13:26:13 +13:00
perfcount.c
lib:util: Make probing of modules more secure
2017-06-06 18:36:07 +02:00
pipes.c
rpc_server: Re-order and rename remote and local address in np_open()
2017-03-29 02:37:29 +02:00
posix_acls.c
s3: VFS: Change SMB_VFS_GETXATTR to use const struct smb_filename * instead of const char *.
2017-06-01 02:58:53 +02:00
process.c
s3: smbd: Fix a read after free if a chained SMB1 call goes async.
2017-07-15 02:16:18 +02:00
proto.h
S3: smbd: Finish plumbing struct smb_filename * through the check_name() stack.
2017-07-01 03:07:11 +02:00
pysmbd.c
s3: VFS: Change SMB_VFS_SYS_ACL_SET_FILE to use const struct smb_filename * instead of const char *.
2017-05-31 22:50:22 +02:00
quotas.c
s3: VFS: Change SMB_VFS_GET_QUOTA to use const struct smb_filename * instead of const char *.
2017-06-18 02:49:25 +02:00
reply.c
s3/vfs: rename SMB_VFS_STRICT_LOCK to SMB_VFS_STRICT_LOCK_CHECK
2017-07-11 03:37:44 +02:00
scavenger.c
lib: Add lib/util/server_id.h
2017-01-22 18:30:11 +01:00
scavenger.h
s3:smbd: add a scavenger process for disconnected durable handles
2013-04-18 13:15:13 +02:00
seal.c
auth: Always supply both the remote and local address to the auth subsystem
2017-03-29 02:37:26 +02:00
sec_ctx.c
s3:smbd: Fix incorrect use of sys_getgroups()
2017-04-18 15:43:02 +02:00
server_exit.c
Revert "s3: smbd: Tear down global_smbXsrv_client in the correct order."
2015-12-07 21:09:04 +01:00
server_reload.c
s3:smbd: use lp_load_with_shares() in reload_services().
2015-04-22 13:57:29 +02:00
server.c
s3/notifyd: ensure notifyd doesn't return from smbd_notifyd_init
2017-07-15 02:16:18 +02:00
service.c
s3: VFS: Change SMB_VFS_REALPATH to take and return struct smb_filename * instead of char *.
2017-07-01 03:07:11 +02:00
session.c
s3:smbd/session: Added a routine find_sessions()
2013-09-10 11:32:46 -07:00
sesssetup.c
s3:smbd: call auth_check_password_session_info() only in one central place
2017-06-26 08:47:15 +02:00
share_access.c
smbd: remove redundant comment (with typo) from token_contains_name()
2016-08-04 18:26:07 +02:00
signing.c
s3:smbd: move sconn->smb1.signing_state to xconn->smb1.signing_state
2014-08-06 09:51:11 +02:00
smb2_break.c
smbXsrv: rename smb2srv_session_lookup -> smb2srv_session_lookup_conn
2015-07-29 18:26:07 +02:00
smb2_close.c
smbd:smb2_close: remove an irritating blank line
2016-01-22 01:55:09 +01:00
smb2_create.c
s3:smb2_create: remove unused timer pointer from smbd_smb2_create_state
2017-06-27 16:57:47 +02:00
smb2_flush.c
s3/vfs: wrap async io function args inside struct vfs_aio_state
2016-03-02 01:22:13 +01:00
smb2_getinfo.c
s3:smbd: mask security_information input values with SMB_SUPPORTED_SECINFO_FLAGS
2014-08-22 00:28:08 +02:00
smb2_glue.c
s3/smbd: remove flags2 FLAGS2_READ_PERMIT_EXECUTE hack in the SMB2 code
2017-07-03 19:59:08 +02:00
smb2_ioctl_dfs.c
s3/smbd: allow GET_DFS_REFERRAL fsctl on any smb2 connexion
2017-02-25 02:38:28 +01:00
smb2_ioctl_filesys.c
s3/vfs: rename SMB_VFS_STRICT_LOCK to SMB_VFS_STRICT_LOCK_CHECK
2017-07-11 03:37:44 +02:00
smb2_ioctl_named_pipe.c
smbd: Fix CID 1035550 Structurally dead code
2013-08-12 17:25:54 +12:00
smb2_ioctl_network_fs.c
s3/smbd: remove unneeded flags argument from SMB_VFS_OFFLOAD_WRITE_SEND
2017-07-03 19:59:08 +02:00
smb2_ioctl_private.h
smb2_ioctl: split ioctl handler code on device type
2013-01-16 23:15:06 +01:00
smb2_ioctl.c
s3:smb2_server: pass smbXsrv_connection to smbd_server_connection_terminate*()
2014-08-06 09:51:13 +02:00
smb2_keepalive.c
s3:smb2_keepalive: make use of smbd_smb2_generate_outbody()
2014-03-05 13:59:22 -08:00
smb2_lock.c
smbd: Fix CID 1273096 Dereference before null check
2015-06-23 22:12:09 +02:00
smb2_negprot.c
s3/smbd: ensure global "smb encrypt = off" is effective for SMB 3.1.1 clients
2017-01-27 22:00:17 +01:00
smb2_notify.c
s3:smb2_server: use async smbprofile macros
2014-11-19 20:51:37 +01:00
smb2_query_directory.c
s3: smbd: We can now remove the 'bool dfs_path' parameter from filename_convert().
2017-05-22 18:41:16 +02:00
smb2_read.c
s3/vfs: rename SMB_VFS_STRICT_LOCK to SMB_VFS_STRICT_LOCK_CHECK
2017-07-11 03:37:44 +02:00
smb2_server.c
s3/smbd: enable processing SMB2 requests async internally
2017-04-18 22:54:16 +02:00
smb2_sesssetup.c
s3:smb2_sesssetup: allow a compound request after a SessionSetup
2017-06-17 10:55:25 +02:00
smb2_setinfo.c
smbd: Convert locking.tdb to new dbwrap_watch
2016-07-15 16:56:13 +02:00
smb2_tcon.c
s3:smb2_tcon: allow a compound request after a TreeConnect
2017-06-17 06:39:20 +02:00
smb2_write.c
s3/vfs: rename SMB_VFS_STRICT_LOCK to SMB_VFS_STRICT_LOCK_CHECK
2017-07-11 03:37:44 +02:00
smbd_cleanupd.c
s3/smbd: remove a misleading error message
2016-09-16 16:43:16 +02:00
smbd_cleanupd.h
smbd: Implement a cleanup daemon
2015-11-16 14:51:33 +01:00
smbd.h
s3: smbd: Add UCF_GMT_PATHNAME, which represents FLAGS2_REPARSE_PATH.
2017-05-22 18:41:16 +02:00
smbXsrv_client.c
lib: Add lib/util/server_id.h
2017-01-22 18:30:11 +01:00
smbXsrv_open.c
lib: Add lib/util/server_id.h
2017-01-22 18:30:11 +01:00
smbXsrv_session.c
lib: Add lib/util/server_id.h
2017-01-22 18:30:11 +01:00
smbXsrv_tcon.c
lib: Add lib/util/server_id.h
2017-01-22 18:30:11 +01:00
smbXsrv_version.c
smbXsrv: don't leak lock_path onto talloc tos
2014-11-03 23:46:05 +01:00
srvstr.c
Convert all uses of uint8/16/32 to _t in source3/smbd.
2015-05-06 04:14:14 +02:00
statcache.c
lib: Move "message_send_all" to serverid.c
2016-07-28 05:00:19 +02:00
statvfs.c
s3/statvfs: expose FILE_SUPPORTS_SPARSE_FILES capability
2015-03-09 21:27:07 +01:00
trans2.c
s3: VFS: Change SMB_VFS_SYMLINK to use const struct smb_filename * instead of const char *.
2017-06-18 07:03:18 +02:00
uid.c
smbd: Change logging level for denied share access
2014-07-31 01:17:30 +02:00
utmp.c
param: rename lp function and variable from 'wtmpdir' to 'wtmp_directory'
2014-02-07 16:19:11 -08:00
vfs.c
s3/vfs: rename SMB_VFS_STRICT_LOCK to SMB_VFS_STRICT_LOCK_CHECK
2017-07-11 03:37:44 +02:00