From: Ralph Boehme Date: Fri, 22 Nov 2024 09:21:14 +0000 (+0100) Subject: smbd: fix an invalid memory access X-Git-Tag: tdb-1.4.13~233 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dc68aad8d164a0cbf21ff3fee36e208255f352e3;p=thirdparty%2Fsamba.git smbd: fix an invalid memory access This was introduced by f86208d272cfa0ce6753b02d3f5b1cce4fd91e2e: ==47833== Invalid read of size 1 ==47833== at 0x4846782: strlen (vg_replace_strmem.c:494) ==47833== by 0x4F9D257: __vfprintf_internal (vfprintf-process-arg.c:397) ==47833== by 0x4FBD3A5: __vasprintf_internal (vasprintf.c:57) ==47833== by 0x4EBDFFD: __dbgtext_va (debug.c:1939) ==47833== by 0x4EBE125: dbgtext (debug.c:1960) ==47833== by 0x49A9E77: exit_server_common (server_exit.c:230) ==47833== by 0x49A9EE6: smbd_exit_server_cleanly (server_exit.c:247) ==47833== by 0x4ECA2EF: exit_server_cleanly (smbd_shim.c:113) ==47833== by 0x495E72B: smbd_server_connection_terminate_done (smb2_server.c:1758) ==47833== by 0x4D4ED6A: _tevent_req_notify_callback (tevent_req.c:177) ==47833== by 0x4D4EEFB: tevent_req_finish (tevent_req.c:234) ==47833== by 0x4D4F02A: tevent_req_trigger (tevent_req.c:291) ==47833== Address 0xb8cf820 is 96 bytes inside a block of size 123 free'd ==47833== at 0x484317B: free (vg_replace_malloc.c:872) ==47833== by 0x4CF8950: _tc_free_internal (talloc.c:1222) ==47833== by 0x4CF993E: _tc_free_children_internal (talloc.c:1669) ==47833== by 0x4CF8830: _tc_free_internal (talloc.c:1184) ==47833== by 0x4CF993E: _tc_free_children_internal (talloc.c:1669) ==47833== by 0x4CF8830: _tc_free_internal (talloc.c:1184) ==47833== by 0x4CF89F7: _talloc_free_internal (talloc.c:1248) ==47833== by 0x4CF9D93: _talloc_free (talloc.c:1792) ==47833== by 0x495E700: smbd_server_connection_terminate_done (smb2_server.c:1748) ==47833== by 0x4D4ED6A: _tevent_req_notify_callback (tevent_req.c:177) ==47833== by 0x4D4EEFB: tevent_req_finish (tevent_req.c:234) ==47833== by 0x4D4F02A: tevent_req_trigger (tevent_req.c:291) ==47833== Block was alloc'd at ==47833== at 0x48407B4: malloc (vg_replace_malloc.c:381) ==47833== by 0x4CF7CAC: __talloc_with_prefix (talloc.c:783) ==47833== by 0x4CF7E46: __talloc (talloc.c:825) ==47833== by 0x4CFB007: __talloc_strlendup (talloc.c:2454) ==47833== by 0x4CFB0BD: talloc_strdup (talloc.c:2470) ==47833== by 0x495E7B6: smbd_server_connection_terminate_ex (smb2_server.c:1775) ==47833== by 0x4969222: smbd_smb2_connection_handler (smb2_server.c:5291) ==47833== by 0x4D4CAE2: tevent_common_invoke_fd_handler (tevent_fd.c:174) ==47833== by 0x4D596D5: epoll_event_loop (tevent_epoll.c:696) ==47833== by 0x4D59E5E: epoll_event_loop_once (tevent_epoll.c:926) ==47833== by 0x4D5529C: std_event_loop_once (tevent_standard.c:110) ==47833== by 0x4D4B3B9: _tevent_loop_once (tevent.c:820) ==47833== state was a child of "xconn", so when xconn was freed state went away. As reason is used at the very end of exit_server_common() after *all* global objects that could be used as talloc parent are freed, there's just no other way to make "reason" a talloc string then allocating it from the NULL context right away. Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 610d79e5760..59f4a4aad5b 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1772,7 +1772,7 @@ void smbd_server_connection_terminate_ex(struct smbXsrv_connection *xconn, exit_server("smbXsrv_connection_shutdown_send failed"); } state->xconn = xconn; - state->reason = talloc_strdup(state, reason); + state->reason = talloc_strdup(NULL, reason); if (state->reason == NULL) { exit_server("talloc_strdup failed"); }