From: Thomas Jarosch Date: Sat, 22 Jul 2017 16:36:18 +0000 (-0700) Subject: s3: libsmb: Fix use-after-free when accessing pointer *p. X-Git-Tag: samba-4.5.13~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d740e45c4ecb8d6acdb6e429bd35d0e9f91e1be;p=thirdparty%2Fsamba.git s3: libsmb: Fix use-after-free when accessing pointer *p. talloc_asprintf_append() might call realloc() and therefore move the memory address of "path". BUG: https://bugzilla.samba.org/show_bug.cgi?id=12927 Signed-off-by: Thomas Jarosch Reviewed-by: Jeremy Allison Reviewed-by: Ralph Böhme Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Jul 22 22:45:05 CEST 2017 on sn-devel-144 (cherry picked from commit 890137cffedcaf88a9ff808c01335ee14fcfd8da) Autobuild-User(v4-5-test): Karolin Seeger Autobuild-Date(v4-5-test): Mon Jul 24 06:24:58 CEST 2017 on sn-devel-144 --- diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c index 97ecaa405a7..5734f42b3ab 100644 --- a/source3/libsmb/libsmb_dir.c +++ b/source3/libsmb/libsmb_dir.c @@ -379,9 +379,9 @@ SMBC_opendir_ctx(SMBCCTX *context, char *options = NULL; char *workgroup = NULL; char *path = NULL; + size_t path_len = 0; uint16_t mode; uint16_t port = 0; - char *p = NULL; SMBCSRV *srv = NULL; SMBCFILE *dir = NULL; struct sockaddr_storage rem_ss; @@ -801,7 +801,7 @@ SMBC_opendir_ctx(SMBCCTX *context, /* Now, list the files ... */ - p = path + strlen(path); + path_len = strlen(path); path = talloc_asprintf_append(path, "\\*"); if (!path) { if (dir) { @@ -843,7 +843,7 @@ SMBC_opendir_ctx(SMBCCTX *context, * got would have been EINVAL rather * than ENOTDIR. */ - *p = '\0'; /* restore original path */ + path[path_len] = '\0'; /* restore original path */ if (SMBC_getatr(context, srv, path, &mode, NULL,