| commit | a81b8f2c1355976f48c0a791b868066526a63922 | |
| author | Jeremy Allison <jra@samba.org> | |
| Thu, 13 Jul 2017 19:06:58 +0000 (13 12:06 -0700) | ||
| committer | Karolin Seeger <kseeger@samba.org> | |
| Tue, 25 Jul 2017 04:16:36 +0000 (25 06:16 +0200) | ||
| tree | 61a3396a1d5b92a6f20370257bbc2555140bc097 | treesnapshot (tar.gz zip) |
| parent | 6155eba0dbde13f5ba5122b590cad6e3de9af186 | commitdiff |
s3: smbd: Fix a read after free if a chained SMB1 call goes async.
Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security
researcher of Qihoo 360 GearTeam. Thanks a lot!
smb1_parse_chain() incorrectly used talloc_tos() for the memory
context of the chained smb1 requests. This gets freed between
requests so if a chained request goes async, the saved request
array also is freed, which causes a crash on resume.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5fe76a5474823ed7602938a07c9c43226a7882a3)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Tue Jul 25 06:16:37 CEST 2017 on sn-devel-144
Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security
researcher of Qihoo 360 GearTeam. Thanks a lot!
smb1_parse_chain() incorrectly used talloc_tos() for the memory
context of the chained smb1 requests. This gets freed between
requests so if a chained request goes async, the saved request
array also is freed, which causes a crash on resume.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5fe76a5474823ed7602938a07c9c43226a7882a3)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Tue Jul 25 06:16:37 CEST 2017 on sn-devel-144
| source3/smbd/process.c | diffblobblamehistory |