s3:smbd: Fix invalid memory free

"Error: BAD_FREE (CWE-590):
samba-4.20.0rc2/source3/smbd/smb1_process.c:1485: array_free: ""smb1_srv_send"" frees array ""errbuf"".
 1483|   		char errbuf[smb_size];
 1484|   		error_packet(errbuf, 0, 0, status, __LINE__, __FILE__);
 1485|-> 		if (!smb1_srv_send(req->xconn,
 1486|   				   errbuf,
 1487|   				   true,"

Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index a6cfeaad8b2a215902cff64f1334d1ff55fba363..0f1ceaf40446e0b42795990ddd0d4886d69adbf3 100644 (file)
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -139,11 +139,7 @@ static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote
 
 void srv_free_enc_buffer(struct smbXsrv_connection *xconn, char *buf)
 {
-       /* We know this is an smb buffer, and we
-        * didn't malloc, only copy, for a keepalive,
-        * so ignore non-session messages. */
-
-       if(CVAL(buf,0)) {
+       if (buf == NULL) {
                return;
        }
 

diff --git a/source3/smbd/smb1_process.c b/source3/smbd/smb1_process.c
index bb83b986c6669ffbeb501a571305a7bf365dba40..a1970b9e252a46281cb361d1235bab4edb2f5d5c 100644 (file)
--- a/source3/smbd/smb1_process.c
+++ b/source3/smbd/smb1_process.c
@@ -217,6 +217,7 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
        size_t len = 0;
        ssize_t ret;
        char *buf_out = buffer;
+       char *encrypted_buf = NULL;
 
        if (!NT_STATUS_IS_OK(xconn->transport.status)) {
                /*
@@ -240,7 +241,7 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
        }
 
        if (do_encrypt) {
-               NTSTATUS status = srv_encrypt_buffer(xconn, buffer, &buf_out);
+               NTSTATUS status = srv_encrypt_buffer(xconn, buffer, &encrypted_buf);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(0, ("send_smb: SMB encryption failed "
                                "on outgoing packet! Error %s\n",
@@ -248,11 +249,13 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
                        ret = -1;
                        goto out;
                }
+               buf_out = encrypted_buf;
        }
 
        len = smb_len_large(buf_out) + 4;
 
        ret = write_data(xconn->transport.sock, buf_out, len);
+       srv_free_enc_buffer(xconn, encrypted_buf);
        if (ret <= 0) {
                int saved_errno = errno;
                /*
@@ -265,11 +268,9 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn,
                         (int)ret, strerror(saved_errno)));
                errno = saved_errno;
 
-               srv_free_enc_buffer(xconn, buf_out);
                goto out;
        }
 
-       srv_free_enc_buffer(xconn, buf_out);
 out:
        smbd_unlock_socket(xconn);
        return (ret > 0);