> commit 12a2230581b3ff5c7a29819532652d7ddfe61521 > Author: Andreas Schneider <[email protected]> > Date: Fri Nov 8 16:14:35 2013 +0100 > > s4-smb_server: Fix a use after free. > > If we haven't allocated the smbsrv_session then we should not free it. > > Signed-off-by: Andreas Schneider <[email protected]> > Reviewed-by: Jeremy Allison <[email protected]> > > diff --git a/source4/smb_server/smb/sesssetup.c > b/source4/smb_server/smb/sesssetup.c > index b26c128..4ebc0c4 100644 > --- a/source4/smb_server/smb/sesssetup.c > +++ b/source4/smb_server/smb/sesssetup.c > @@ -415,6 +415,7 @@ static void sesssetup_spnego(struct smbsrv_request *req, > union smb_sesssetup *se > { > NTSTATUS status; > struct smbsrv_session *smb_sess = NULL; > + bool is_smb_sess_new = false; > struct sesssetup_spnego_state *s = NULL; > uint16_t vuid; > struct tevent_req *subreq; > @@ -465,6 +466,7 @@ static void sesssetup_spnego(struct smbsrv_request *req, > union smb_sesssetup *se > status = NT_STATUS_INSUFFICIENT_RESOURCES; > goto failed; > } > + is_smb_sess_new = true; > } else { > smb_sess = smbsrv_session_find_sesssetup(req->smb_conn, vuid); > } > @@ -510,7 +512,9 @@ static void sesssetup_spnego(struct smbsrv_request *req, > union smb_sesssetup *se > nomem: > status = NT_STATUS_NO_MEMORY; > failed: > - talloc_free(smb_sess); > + if (is_smb_sess_new) { > + talloc_free(smb_sess); > + } > status = nt_status_squash(status); > smbsrv_sesssetup_backend_send(req, sess, status);
I think we need to talloc_steal(req, smb_sess) here. This is similar to https://git.samba.org/?p=samba.git;a=commitdiff;h=25494628a2e977568de0f634602ebe893d0a5b88 metze
