s3: smbd: Fix a read after free if a chained SMB1 call goes async.

Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security
researcher of Qihoo 360 GearTeam. Thanks a lot!

smb1_parse_chain() incorrectly used talloc_tos() for the memory
context of the chained smb1 requests. This gets freed between
requests so if a chained request goes async, the saved request
array also is freed, which causes a crash on resume.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5fe76a5474823ed7602938a07c9c43226a7882a3)

Autobuild-User(v4-5-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-5-test): Tue Jul 25 05:32:53 CEST 2017 on sn-devel-144

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 8f097ecbc00a87d450336252b9afa31362f3e8c9..656f1c0a667ee317fbab566fd680b57c6044b579 100644 (file)
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1784,7 +1784,7 @@ static void construct_reply_chain(struct smbXsrv_connection *xconn,
        unsigned num_reqs;
        bool ok;
 
-       ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, xconn, encrypted,
+       ok = smb1_parse_chain(xconn, (uint8_t *)inbuf, xconn, encrypted,
                              seqnum, &reqs, &num_reqs);
        if (!ok) {
                char errbuf[smb_size];