[SCM] Samba Shared Repository - branch master updated

Mon, 13 Apr 2015 18:00:03 -0700 

The branch, master has been updated
       via  2d4db4a s3: libsmbclient: After getting attribute server, ensure 
main srv pointer is still valid.
      from  2a6e170 witness: add WITNESS_UNSPECIFIED_VERSION to IDL.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2d4db4a65e1e8924470741378fe249f22196eceb
Author: Jeremy Allison <j...@samba.org>
Date:   Tue Mar 31 14:40:23 2015 -0700

    s3: libsmbclient: After getting attribute server, ensure main srv pointer 
is still valid.
    
    Bug #11186: Crash seen in libsmbclient due to free of server structure 
during SMBC_getxattr() call
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11186
    
    Signed-off-by: Jeremy Allison <j...@samba.org>
    Reviewed-by: David Disseldorp <dd...@samba.org>
    
    Autobuild-User(master): David Disseldorp <dd...@samba.org>
    Autobuild-Date(master): Tue Apr 14 02:58:43 CEST 2015 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source3/libsmb/libsmb_xattr.c | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/libsmb_xattr.c b/source3/libsmb/libsmb_xattr.c
index 8493776..9f7bea8 100644
--- a/source3/libsmb/libsmb_xattr.c
+++ b/source3/libsmb/libsmb_xattr.c
@@ -2073,6 +2073,25 @@ SMBC_getxattr_ctx(SMBCCTX *context,
         if (! srv->no_nt_session) {
                 ipc_srv = SMBC_attr_server(frame, context, server, port, share,
                                            &workgroup, &user, &password);
+               /*
+                * SMBC_attr_server() can cause the original
+                * server to be removed from the cache.
+                * If so we must error out here as the srv
+                * pointer has been freed.
+                */
+               if (smbc_getFunctionGetCachedServer(context)(context,
+                               server,
+                               share,
+                               workgroup,
+                               user) != srv) {
+#if defined(ECONNRESET)
+                       errno = ECONNRESET;
+#else
+                       errno = ETIMEDOUT;
+#endif
+                       TALLOC_FREE(frame);
+                       return -1;
+               }
                 if (! ipc_srv) {
                         srv->no_nt_session = True;
                 }
@@ -2208,9 +2227,31 @@ SMBC_removexattr_ctx(SMBCCTX *context,
         }
 
         if (! srv->no_nt_session) {
+               int saved_errno;
                 ipc_srv = SMBC_attr_server(frame, context, server, port, share,
                                            &workgroup, &user, &password);
+               saved_errno = errno;
+               /*
+                * SMBC_attr_server() can cause the original
+                * server to be removed from the cache.
+                * If so we must error out here as the srv
+                * pointer has been freed.
+                */
+               if (smbc_getFunctionGetCachedServer(context)(context,
+                               server,
+                               share,
+                               workgroup,
+                               user) != srv) {
+#if defined(ECONNRESET)
+                       errno = ECONNRESET;
+#else
+                       errno = ETIMEDOUT;
+#endif
+                       TALLOC_FREE(frame);
+                       return -1;
+               }
                 if (! ipc_srv) {
+                       errno = saved_errno;
                         srv->no_nt_session = True;
                 }
         } else {


-- 
Samba Shared Repository

Reply via email to