From: Volker Lendecke <vl@samba.org>
Date: Wed, 23 Feb 2022 14:56:41 +0000 (+0100)
Subject: smbd: Fix a use-after-free
X-Git-Tag: tevent-0.12.0~613
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8c97743511e4d53f795f2469a28aabfb96da0dfa;p=thirdparty%2Fsamba.git

smbd: Fix a use-after-free

stat_cache_lookup() allocates its result on top of talloc_tos().
filename_convert_smb1_search_path() creates a talloc_stackframe(),
which makes the names which were supposed to be allocated on the "ctx"
parameter of filename_convert_smb1_search_path() go away too
early. Reparent the results from stat_cache_lookup() properly.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar  1 20:59:55 UTC 2022 on sn-devel-184
---

diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 33aed86718f..123fe951639 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -1141,6 +1141,13 @@ NTSTATUS unix_convert(TALLOC_CTX *mem_ctx,
 					  &state->name,
 					  state->smb_fname->twrp,
 					  &state->smb_fname->st);
+		/*
+		 * stat_cache_lookup() allocates on talloc_tos() even
+		 * when !found, reparent correctly
+		 */
+		talloc_steal(state->smb_fname, state->smb_fname->base_name);
+		talloc_steal(state->mem_ctx, state->dirpath);
+
 		if (found) {
 			goto done;
 		}