The branch, master has been updated via 2d4db4a s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid. from 2a6e170 witness: add WITNESS_UNSPECIFIED_VERSION to IDL.
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 2d4db4a65e1e8924470741378fe249f22196eceb Author: Jeremy Allison <j...@samba.org> Date: Tue Mar 31 14:40:23 2015 -0700 s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid. Bug #11186: Crash seen in libsmbclient due to free of server structure during SMBC_getxattr() call Bug: https://bugzilla.samba.org/show_bug.cgi?id=11186 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: David Disseldorp <dd...@samba.org> Autobuild-User(master): David Disseldorp <dd...@samba.org> Autobuild-Date(master): Tue Apr 14 02:58:43 CEST 2015 on sn-devel-104 ----------------------------------------------------------------------- Summary of changes: source3/libsmb/libsmb_xattr.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) Changeset truncated at 500 lines: diff --git a/source3/libsmb/libsmb_xattr.c b/source3/libsmb/libsmb_xattr.c index 8493776..9f7bea8 100644 --- a/source3/libsmb/libsmb_xattr.c +++ b/source3/libsmb/libsmb_xattr.c @@ -2073,6 +2073,25 @@ SMBC_getxattr_ctx(SMBCCTX *context, if (! srv->no_nt_session) { ipc_srv = SMBC_attr_server(frame, context, server, port, share, &workgroup, &user, &password); + /* + * SMBC_attr_server() can cause the original + * server to be removed from the cache. + * If so we must error out here as the srv + * pointer has been freed. + */ + if (smbc_getFunctionGetCachedServer(context)(context, + server, + share, + workgroup, + user) != srv) { +#if defined(ECONNRESET) + errno = ECONNRESET; +#else + errno = ETIMEDOUT; +#endif + TALLOC_FREE(frame); + return -1; + } if (! ipc_srv) { srv->no_nt_session = True; } @@ -2208,9 +2227,31 @@ SMBC_removexattr_ctx(SMBCCTX *context, } if (! srv->no_nt_session) { + int saved_errno; ipc_srv = SMBC_attr_server(frame, context, server, port, share, &workgroup, &user, &password); + saved_errno = errno; + /* + * SMBC_attr_server() can cause the original + * server to be removed from the cache. + * If so we must error out here as the srv + * pointer has been freed. + */ + if (smbc_getFunctionGetCachedServer(context)(context, + server, + share, + workgroup, + user) != srv) { +#if defined(ECONNRESET) + errno = ECONNRESET; +#else + errno = ETIMEDOUT; +#endif + TALLOC_FREE(frame); + return -1; + } if (! ipc_srv) { + errno = saved_errno; srv->no_nt_session = True; } } else { -- Samba Shared Repository