From: Garming Sam <garming@catalyst.net.nz>
Date: Fri, 9 Jun 2017 02:13:25 +0000 (+1200)
Subject: stream_terminate_connection: Prevent use-after-free
X-Git-Tag: ldb-1.1.31~66
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f045e7fc147aab2a4c7f356f0ce834f47cdff42;p=thirdparty%2Fsamba.git

stream_terminate_connection: Prevent use-after-free

This sometimes would show up as corrupted bytes during logs. Hammering
the LDAP server enough times managed to trigger an outright segfault.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
index bda28ad26f8..917a1876e07 100644
--- a/source4/smbd/service_stream.c
+++ b/source4/smbd/service_stream.c
@@ -55,6 +55,7 @@ void stream_terminate_connection(struct stream_connection *srv_conn, const char
 	struct tevent_context *event_ctx = srv_conn->event.ctx;
 	const struct model_ops *model_ops = srv_conn->model_ops;
 	struct loadparm_context *lp_ctx = srv_conn->lp_ctx;
+	TALLOC_CTX *frame = NULL;
 
 	if (!reason) reason = "unknown reason";
 
@@ -77,11 +78,20 @@ void stream_terminate_connection(struct stream_connection *srv_conn, const char
 		return;
 	}
 
+	frame = talloc_stackframe();
+
+	reason = talloc_strdup(frame, reason);
+	if (reason == NULL) {
+		reason = "OOM - unknown reason";
+	}
+
 	talloc_free(srv_conn->event.fde);
 	srv_conn->event.fde = NULL;
 	imessaging_cleanup(srv_conn->msg_ctx);
 	TALLOC_FREE(srv_conn);
 	model_ops->terminate(event_ctx, lp_ctx, reason);
+
+	TALLOC_FREE(frame);
 }
 
 /**