summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
2a6e170)
Bug #11186: Crash seen in libsmbclient due to free of server structure during SMBC_getxattr() call
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11186
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Apr 14 02:58:43 CEST 2015 on sn-devel-104
if (! srv->no_nt_session) {
ipc_srv = SMBC_attr_server(frame, context, server, port, share,
&workgroup, &user, &password);
if (! srv->no_nt_session) {
ipc_srv = SMBC_attr_server(frame, context, server, port, share,
&workgroup, &user, &password);
+ /*
+ * SMBC_attr_server() can cause the original
+ * server to be removed from the cache.
+ * If so we must error out here as the srv
+ * pointer has been freed.
+ */
+ if (smbc_getFunctionGetCachedServer(context)(context,
+ server,
+ share,
+ workgroup,
+ user) != srv) {
+#if defined(ECONNRESET)
+ errno = ECONNRESET;
+#else
+ errno = ETIMEDOUT;
+#endif
+ TALLOC_FREE(frame);
+ return -1;
+ }
if (! ipc_srv) {
srv->no_nt_session = True;
}
if (! ipc_srv) {
srv->no_nt_session = True;
}
}
if (! srv->no_nt_session) {
}
if (! srv->no_nt_session) {
ipc_srv = SMBC_attr_server(frame, context, server, port, share,
&workgroup, &user, &password);
ipc_srv = SMBC_attr_server(frame, context, server, port, share,
&workgroup, &user, &password);
+ saved_errno = errno;
+ /*
+ * SMBC_attr_server() can cause the original
+ * server to be removed from the cache.
+ * If so we must error out here as the srv
+ * pointer has been freed.
+ */
+ if (smbc_getFunctionGetCachedServer(context)(context,
+ server,
+ share,
+ workgroup,
+ user) != srv) {
+#if defined(ECONNRESET)
+ errno = ECONNRESET;
+#else
+ errno = ETIMEDOUT;
+#endif
+ TALLOC_FREE(frame);
+ return -1;
+ }
srv->no_nt_session = True;
}
} else {
srv->no_nt_session = True;
}
} else {