From: Andreas Schneider Date: Wed, 26 Jun 2024 14:11:57 +0000 (+0200) Subject: s3:smbd: Fix invalid memory free X-Git-Tag: tdb-1.4.11~169 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0131e4737c2da46a7b1f492c67d851ee9f860ed2;p=thirdparty%2Fsamba.git s3:smbd: Fix invalid memory free "Error: BAD_FREE (CWE-590): samba-4.20.0rc2/source3/smbd/smb1_process.c:1485: array_free: ""smb1_srv_send"" frees array ""errbuf"". 1483| char errbuf[smb_size]; 1484| error_packet(errbuf, 0, 0, status, __LINE__, __FILE__); 1485|-> if (!smb1_srv_send(req->xconn, 1486| errbuf, 1487| true," Pair-Programmed-With: Ralph Boehme Signed-off-by: Ralph Boehme Signed-off-by: Andreas Schneider Reviewed-by: Volker Lendecke --- diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c index a6cfeaad8b2..0f1ceaf4044 100644 --- a/source3/smbd/seal.c +++ b/source3/smbd/seal.c @@ -139,11 +139,7 @@ static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote void srv_free_enc_buffer(struct smbXsrv_connection *xconn, char *buf) { - /* We know this is an smb buffer, and we - * didn't malloc, only copy, for a keepalive, - * so ignore non-session messages. */ - - if(CVAL(buf,0)) { + if (buf == NULL) { return; } diff --git a/source3/smbd/smb1_process.c b/source3/smbd/smb1_process.c index bb83b986c66..a1970b9e252 100644 --- a/source3/smbd/smb1_process.c +++ b/source3/smbd/smb1_process.c @@ -217,6 +217,7 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn, size_t len = 0; ssize_t ret; char *buf_out = buffer; + char *encrypted_buf = NULL; if (!NT_STATUS_IS_OK(xconn->transport.status)) { /* @@ -240,7 +241,7 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn, } if (do_encrypt) { - NTSTATUS status = srv_encrypt_buffer(xconn, buffer, &buf_out); + NTSTATUS status = srv_encrypt_buffer(xconn, buffer, &encrypted_buf); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("send_smb: SMB encryption failed " "on outgoing packet! Error %s\n", @@ -248,11 +249,13 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn, ret = -1; goto out; } + buf_out = encrypted_buf; } len = smb_len_large(buf_out) + 4; ret = write_data(xconn->transport.sock, buf_out, len); + srv_free_enc_buffer(xconn, encrypted_buf); if (ret <= 0) { int saved_errno = errno; /* @@ -265,11 +268,9 @@ bool smb1_srv_send(struct smbXsrv_connection *xconn, (int)ret, strerror(saved_errno))); errno = saved_errno; - srv_free_enc_buffer(xconn, buf_out); goto out; } - srv_free_enc_buffer(xconn, buf_out); out: smbd_unlock_socket(xconn); return (ret > 0);