1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
samba-mirror/source3/rpc_server
Jones Syue 044cb8f9d5 mdssvc: Do an early talloc_free() in _mdssvc_open()
Environment setup:
When macOS Finder connect to a samba server with 'spotlight = yes',
macOS would issue mdssvc open (mdssvc.opnum == 0) to samba and it goes
through api _mdssvc_open().

After applied 578e434a94,
(this is reported by jaywei@qnap.com)
this line 'talloc_free(path);' is deleted if _mdssvc_open() normal exit,
so memory is lazy de-allocate: delayed to
smbd_tevent_trace_callback() @ smb2_process.c. [1]

Supposed to explicitly free 'path' in _mdssvc_open() @ srv_mdssvc_nt.c[2]
just like abnormal exit, do not wait for main loop to free 'path' which is
no longer used, this is more consistent while reading source code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15449

[1] gdb tracing 'path' address 0x56204ccc67e0 to know how it is freed.
Breakpoint 2, _tc_free_children_internal (tc=0x56204ccc6780, ptr=0x56204ccc67e0, location=0x7ff430d96410 "../../lib/talloc/talloc.c:1714") at ../../lib/talloc/talloc.c:1656
1656            while (tc->child) {
(gdb) bt
0  _tc_free_children_internal (tc=0x56204ccc6780, ptr=0x56204ccc67e0, location=0x7ff430d96410 "../../lib/talloc/talloc.c:1714") at ../../lib/talloc/talloc.c:1656
1  0x00007ff430d92b14 in _tc_free_internal (tc=0x56204ccc6780, location=0x7ff430d96410 "../../lib/talloc/talloc.c:1714") at ../../lib/talloc/talloc.c:1183
2  0x00007ff430d93b71 in _tc_free_children_internal (tc=0x56204ccc6720, ptr=0x56204ccc6780, location=0x7ff430d96410 "../../lib/talloc/talloc.c:1714") at ../../lib/talloc/talloc.c:1668
3  0x00007ff430d93d66 in talloc_free_children (ptr=0x56204ccc6780) at ../../lib/talloc/talloc.c:1714
4  0x00007ff432235aca in talloc_pop (frame=0x56204ccc6780) at ../../lib/util/talloc_stack.c:125
5  0x00007ff430d92959 in _tc_free_internal (tc=0x56204ccc6720, location=0x7ff431f358d0 "../../source3/smbd/process.c:3726") at ../../lib/talloc/talloc.c:1157
6  0x00007ff430d92cd5 in _talloc_free_internal (ptr=0x56204ccc6780, location=0x7ff431f358d0 "../../source3/smbd/process.c:3726") at ../../lib/talloc/talloc.c:1247
7  0x00007ff430d93f96 in _talloc_free (ptr=0x56204ccc6780, location=0x7ff431f358d0 "../../source3/smbd/process.c:3726") at ../../lib/talloc/talloc.c:1791
8  0x00007ff431d81292 in smbd_tevent_trace_callback (point=TEVENT_TRACE_AFTER_LOOP_ONCE, private_data=0x7ffe46591e30) at ../../source3/smbd/process.c:3726
<...cut...>

[2] gdb tracing 'path' address 0x55a6d66deed0 to know how it is freed.
Breakpoint 2, _tc_free_children_internal (tc=0x55a6d66deed0, ptr=0x55a6d66def30, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1656
1656            while (tc->child) {
(gdb) bt
0  _tc_free_children_internal (tc=0x55a6d66deed0, ptr=0x55a6d66def30, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1656
1  0x00007fc4cb892b14 in _tc_free_internal (tc=0x55a6d66deed0, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1183
2  0x00007fc4cb892cd5 in _talloc_free_internal (ptr=0x55a6d66def30, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1247
3  0x00007fc4cb893f96 in _talloc_free (ptr=0x55a6d66def30, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1791
4  0x00007fc4cc9396e4 in _mdssvc_open (p=0x55a6d66d5600, r=0x55a6d66edc60) at ../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189
<...cut...>

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Mon Aug 14 18:11:37 UTC 2023 on atb-devel-224
2023-08-14 18:11:37 +00:00
..
dfs s3:rpc_server: Fix double blackslash issue in dfs path 2023-07-05 20:24:35 +00:00
dssetup CVE-2020-25717: Add FreeIPA domain controller role 2021-11-09 19:45:33 +00:00
echo s3:rpc_server: Do not include s3 autogenerated headers 2020-03-20 15:36:36 +00:00
epmapper s3:rpc_server: Add missing space to debug message 2023-08-08 04:39:38 +00:00
eventlog s3:rpc_server: Add missing newlines to logging messages 2023-08-08 04:39:38 +00:00
fss rpc_server3: Remove pipes_struct->session_info 2022-01-05 00:11:38 +00:00
initshutdown s3:rpc_server: Do not include s3 autogenerated headers 2020-03-20 15:36:36 +00:00
lsa s3:rpc_server: Fix typo 2023-08-08 04:39:38 +00:00
mdssvc mdssvc: Do an early talloc_free() in _mdssvc_open() 2023-08-14 18:11:37 +00:00
netlogon s3:rpc_server: Fix code spelling 2023-07-19 09:58:37 +00:00
ntsvcs rpc_server3: Remove pipes_struct->session_info 2022-01-05 00:11:38 +00:00
samr s3:rpc_server: Fix code spelling 2023-07-19 09:58:37 +00:00
spoolss s3:rpc_server: Fix incomplete logging messages 2023-08-08 04:39:38 +00:00
srvsvc s3:rpc_server: Fix code spelling 2023-07-19 09:58:37 +00:00
svcctl rpc_server3: Remove pipes_struct->session_info 2022-01-05 00:11:38 +00:00
winreg s3:rpc_server: Fix incomplete logging messages 2023-08-08 04:39:38 +00:00
wkssvc rpc_server3: Remove pipes_struct->session_info 2022-01-05 00:11:38 +00:00
rpc_config.c dcesrv_core: wrap gensec_*() calls in [un]become_root() calls 2022-01-24 15:25:36 +00:00
rpc_config.h s3:rpc_server: Delete unused code and doc references 2021-12-10 14:02:30 +00:00
rpc_handles.c rpc_server3: Remove pipes_struct->session_info 2022-01-05 00:11:38 +00:00
rpc_host.c s3:rpc_server: Add missing newlines to logging messages 2023-08-08 04:39:38 +00:00
rpc_ncacn_np.c rpc_server3: Inline single-use rpcint_binding_handle_ex() 2022-01-05 00:11:38 +00:00
rpc_ncacn_np.h s3:rpc_server: Activate samba-dcerpcd 2021-12-10 14:02:30 +00:00
rpc_pipes.h rpc_server3: No linked list for pipes_struct anymore 2022-01-05 00:11:38 +00:00
rpc_server.c s3:rpc_server: Add missing newlines to logging messages 2023-08-08 04:39:38 +00:00
rpc_server.h rpc_server3: Inline pipes_struct into dcerpc_ncacn_conn 2022-01-05 00:11:38 +00:00
rpc_sock_helper.c s3:rpc_server: Delete unused code and doc references 2021-12-10 14:02:30 +00:00
rpc_sock_helper.h rpc_server: Consolidate transport-specific socket creation 2021-01-26 00:10:31 +00:00
rpc_worker.c s3:rpc_server: Add missing newlines to logging messages 2023-08-08 04:39:38 +00:00
rpc_worker.h s3:rpc_server: Implement the rpcd_* helper-end of the samba-dcerpc protocol 2021-12-10 14:02:30 +00:00
rpcd_classic.c rpc_server3: Initialize mangle_fns in classic and spoolss 2022-07-12 13:33:14 +00:00
rpcd_epmapper.c s3:rpc_server: Add samba-dcerpcd helper programs 2021-12-10 14:02:30 +00:00
rpcd_fsrvp.c s3:rpc_server: Add samba-dcerpcd helper programs 2021-12-10 14:02:30 +00:00
rpcd_lsad.c s3:rpc_server: Add samba-dcerpcd helper programs 2021-12-10 14:02:30 +00:00
rpcd_mdssvc.c rpcd_mdssvc: initialize POSIX locking 2023-04-07 21:12:21 +00:00
rpcd_rpcecho.c s3:rpc_server: Add samba-dcerpcd helper programs 2021-12-10 14:02:30 +00:00
rpcd_spoolss.c rpc_server3: Initialize mangle_fns in classic and spoolss 2022-07-12 13:33:14 +00:00
rpcd_winreg.c s3:rpc_server: Add samba-dcerpcd helper programs 2021-12-10 14:02:30 +00:00
srv_access_check.c s3:rpc_server: Fix code spelling 2023-07-19 09:58:37 +00:00
srv_access_check.h Covert all uint32/16/8 to _t in source3/rpc_server. 2015-05-15 19:31:24 +02:00
srv_pipe_hnd.c smbd: Adapt np_[read|write]_send() to more recent tevent_req conventions 2022-08-26 18:54:37 +00:00
srv_pipe_hnd.h s3:rpc_server: Retrieve dcesrv_context from parent context to open NP 2020-03-20 15:36:35 +00:00
wscript_build CVE-2022-38023 s3:rpc_server/netlogon: Use dcesrv_netr_creds_server_step_check() 2023-01-09 14:23:36 +00:00