smbd: Fix a use-after-free

stat_cache_lookup() allocates its result on top of talloc_tos().
filename_convert_smb1_search_path() creates a talloc_stackframe(),
which makes the names which were supposed to be allocated on the "ctx"
parameter of filename_convert_smb1_search_path() go away too
early. Reparent the results from stat_cache_lookup() properly.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar  1 20:59:55 UTC 2022 on sn-devel-184

(cherry picked from commit 8c97743511e4d53f795f2469a28aabfb96da0dfa)

diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index ef382b43bd62024641169d71c081553e4694e450..9146bf07ddc67d46f559c67a7c58faac6545706e 100644 (file)
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -1133,6 +1133,13 @@ NTSTATUS unix_convert(TALLOC_CTX *mem_ctx,
                                          &state->name,
                                          state->smb_fname->twrp,
                                          &state->smb_fname->st);
+               /*
+                * stat_cache_lookup() allocates on talloc_tos() even
+                * when !found, reparent correctly
+                */
+               talloc_steal(state->smb_fname, state->smb_fname->base_name);
+               talloc_steal(state->mem_ctx, state->dirpath);
+
                if (found) {
                        goto done;
                }