git.samba.org - samba.git/commit

author	Michael Adam <obnox@samba.org>
	Wed, 16 Mar 2016 22:57:33 +0000 (23:57 +0100)
committer	Jeremy Allison <jra@samba.org>
	Thu, 17 Mar 2016 03:31:10 +0000 (04:31 +0100)
commit	44f3dde85740d2b9462df2ed76da41dae0774470
tree	1cc96fc79ffe9425a52856c36786f73afd4b326e	tree
parent	a16379c585a6f6e9470a8745b6043be8171eb615	commit \| diff

smbd: fix use after free via conn->fsp_fi_cache

Some instrumentation of the the durable reconnect
code uncovered a problem in the fsp_new, fsp_free pair:

vfs_default_durable_reconnect():
  fsp_new() ==> this does DLIST_ADD(fsp->conn->sconn->files, fsp)
  if (fsp->oplock_type == LEASE_OPLOCK) {
    find_fsp_lease(fsp, &key, l) ==> this fills conn->fsp_fi_cache
    if (client guids not equal) {
      fsp_free(fsp) ==> this does DLIST_REMOVE(fsp->conn->sconn->files, fsp)
  }

so after this code we have the fsp_fi_cache still pointing to the
free'd memory. The next call to find_fsp_lease will use the cache
and hence access the freed memory.

The fix consists in invalidating the cache in fsp_free() instead
of just in its wrapper file_free().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11799

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 17 04:31:10 CET 2016 on sn-devel-144