1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
samba-mirror/source4/smbd
Jeremy Allison a4599b3011 s4: server: Fix crash in NTVFS server caused by ordering of destructor calls.
In the NTVFS server we have the following talloc heirarchy:

                                   event_ctx
                                     |
        ---------------------------------------------------- .. other children
        |                       |                      |
     msg_dgm_ref              srv_conn            msg_dgm_ref
        ^                       |
        |                    NTVFS structures
        |                       |
        |                    XXXXXX
        |                       |
        |                       |
        --------------------- pointer to msg_dgm_ref

Some of the structures under NTVFS (marked XXXXX) can have
pointers to imessaging contexts which internally have pointers
to msg_dgm_ref structurs allocated off event_ctx.

The original code calls:

        model_ops->terminate(event_ctx, srv_conn->lp_ctx, reason);
        talloc_free(srv_conn);

But model_ops->terminate() calls talloc_free(event_ctx) and
then calls exit(). In this case srv_conn is never explicitly
freed, but only freed as a talloc child of the event_ctx.

Depending on the ordering of the linked list of talloc children
under event_ctx(which can be reordered via talloc_free/reinit
of msg_dgm_ref) a pointer to msg_dgm_ref under srv_conn can
be left pointing to memory that was already freed. This pointer
is then used in the destructor for a file object called when
srv_conn is freed.

Re-ordering this to explicitly call TALLOC_FREE(srv_conn) first
and then model_ops->terminate() fixes this problem.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Apr  2 05:18:39 CEST 2017 on sn-devel-144
2017-04-02 05:18:39 +02:00
..
process_model.c Revert making public of the samba-module library. 2011-12-03 08:36:30 +01:00
process_model.h s4-server: cleanup allocation of process models 2010-11-03 10:40:52 +00:00
process_single.c s4-process_single: Use pid,task_id as cluster_id in process_single just like process_prefork 2013-01-26 16:13:04 +01:00
process_standard.c s4: messaging. Add imessaging_reinit_all() function. 2017-03-31 14:48:17 +02:00
server.c param: Remove winbindd privileged socket directory option 2017-01-22 18:30:12 +01:00
service_named_pipe.c s4-named_pipe_auth: Rename client -> remote_client and server -> local_server 2017-03-29 02:37:28 +02:00
service_stream.c s4: server: Fix crash in NTVFS server caused by ordering of destructor calls. 2017-04-02 05:18:39 +02:00
service_stream.h smbd/service_stream: connection processing flag is not really bool 2016-12-01 00:28:05 +01:00
service_task.c s4: messaging: Remove bool auto_remove parameter from imessaging_init(). 2016-07-23 06:04:11 +02:00
service_task.h server_id.idl: Bring server_id.idl in common 2011-06-09 12:40:08 +02:00
service.c dlist: remove unneeded type argument from DLIST_ADD_END() 2016-02-06 21:48:17 +01:00
service.h
wscript_build s4: messaging. Add imessaging_reinit_all() function. 2017-03-31 14:48:17 +02:00