smbd: Fix a use-after-free

stat_cache_lookup() allocates its result on top of talloc_tos().
filename_convert_smb1_search_path() creates a talloc_stackframe(),
which makes the names which were supposed to be allocated on the "ctx"
parameter of filename_convert_smb1_search_path() go away too
early. Reparent the results from stat_cache_lookup() properly.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar  1 20:59:55 UTC 2022 on sn-devel-184

diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 33aed86718f2af84633fa2db57b98e29cb279608..123fe951639ab0db9e52b792ea6cc3573d257f07 100644 (file)
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -1141,6 +1141,13 @@ NTSTATUS unix_convert(TALLOC_CTX *mem_ctx,
                                          &state->name,
                                          state->smb_fname->twrp,
                                          &state->smb_fname->st);
+               /*
+                * stat_cache_lookup() allocates on talloc_tos() even
+                * when !found, reparent correctly
+                */
+               talloc_steal(state->smb_fname, state->smb_fname->base_name);
+               talloc_steal(state->mem_ctx, state->dirpath);
+
                if (found) {
                        goto done;
                }