smbd: fix an invalid memory access

This was introduced by f86208d272cfa0ce6753b02d3f5b1cce4fd91e2e:

==47833== Invalid read of size 1
==47833==    at 0x4846782: strlen (vg_replace_strmem.c:494)
==47833==    by 0x4F9D257: __vfprintf_internal (vfprintf-process-arg.c:397)
==47833==    by 0x4FBD3A5: __vasprintf_internal (vasprintf.c:57)
==47833==    by 0x4EBDFFD: __dbgtext_va (debug.c:1939)
==47833==    by 0x4EBE125: dbgtext (debug.c:1960)
==47833==    by 0x49A9E77: exit_server_common (server_exit.c:230)
==47833==    by 0x49A9EE6: smbd_exit_server_cleanly (server_exit.c:247)
==47833==    by 0x4ECA2EF: exit_server_cleanly (smbd_shim.c:113)
==47833==    by 0x495E72B: smbd_server_connection_terminate_done (smb2_server.c:1758)
==47833==    by 0x4D4ED6A: _tevent_req_notify_callback (tevent_req.c:177)
==47833==    by 0x4D4EEFB: tevent_req_finish (tevent_req.c:234)
==47833==    by 0x4D4F02A: tevent_req_trigger (tevent_req.c:291)
==47833==  Address 0xb8cf820 is 96 bytes inside a block of size 123 free'd
==47833==    at 0x484317B: free (vg_replace_malloc.c:872)
==47833==    by 0x4CF8950: _tc_free_internal (talloc.c:1222)
==47833==    by 0x4CF993E: _tc_free_children_internal (talloc.c:1669)
==47833==    by 0x4CF8830: _tc_free_internal (talloc.c:1184)
==47833==    by 0x4CF993E: _tc_free_children_internal (talloc.c:1669)
==47833==    by 0x4CF8830: _tc_free_internal (talloc.c:1184)
==47833==    by 0x4CF89F7: _talloc_free_internal (talloc.c:1248)
==47833==    by 0x4CF9D93: _talloc_free (talloc.c:1792)
==47833==    by 0x495E700: smbd_server_connection_terminate_done (smb2_server.c:1748)
==47833==    by 0x4D4ED6A: _tevent_req_notify_callback (tevent_req.c:177)
==47833==    by 0x4D4EEFB: tevent_req_finish (tevent_req.c:234)
==47833==    by 0x4D4F02A: tevent_req_trigger (tevent_req.c:291)
==47833==  Block was alloc'd at
==47833==    at 0x48407B4: malloc (vg_replace_malloc.c:381)
==47833==    by 0x4CF7CAC: __talloc_with_prefix (talloc.c:783)
==47833==    by 0x4CF7E46: __talloc (talloc.c:825)
==47833==    by 0x4CFB007: __talloc_strlendup (talloc.c:2454)
==47833==    by 0x4CFB0BD: talloc_strdup (talloc.c:2470)
==47833==    by 0x495E7B6: smbd_server_connection_terminate_ex (smb2_server.c:1775)
==47833==    by 0x4969222: smbd_smb2_connection_handler (smb2_server.c:5291)
==47833==    by 0x4D4CAE2: tevent_common_invoke_fd_handler (tevent_fd.c:174)
==47833==    by 0x4D596D5: epoll_event_loop (tevent_epoll.c:696)
==47833==    by 0x4D59E5E: epoll_event_loop_once (tevent_epoll.c:926)
==47833==    by 0x4D5529C: std_event_loop_once (tevent_standard.c:110)
==47833==    by 0x4D4B3B9: _tevent_loop_once (tevent.c:820)
==47833==

state was a child of "xconn", so when xconn was freed state went away.

As reason is used at the very end of exit_server_common() after *all* global
objects that could be used as talloc parent are freed, there's just no other way
to make "reason" a talloc string then allocating it from the NULL context right
away.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 610d79e5760dda44f321e224fd39efa071e90f12..59f4a4aad5ba471624d88e1a4406de64e942dda1 100644 (file)
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1772,7 +1772,7 @@ void smbd_server_connection_terminate_ex(struct smbXsrv_connection *xconn,
                exit_server("smbXsrv_connection_shutdown_send failed");
        }
        state->xconn = xconn;
-       state->reason = talloc_strdup(state, reason);
+       state->reason = talloc_strdup(NULL, reason);
        if (state->reason == NULL) {
                exit_server("talloc_strdup failed");
        }