stream_terminate_connection: Prevent use-after-free
authorGarming Sam <garming@catalyst.net.nz>
Fri, 9 Jun 2017 02:13:25 +0000 (14:13 +1200)
committerGarming Sam <garming@samba.org>
Wed, 14 Jun 2017 23:24:25 +0000 (01:24 +0200)
This sometimes would show up as corrupted bytes during logs. Hammering
the LDAP server enough times managed to trigger an outright segfault.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
source4/smbd/service_stream.c

index bda28ad26f8577d84bcb7475ea2d07fcaa4e6235..917a1876e07970ed1c66fd010f9e8918173cc835 100644 (file)
@@ -55,6 +55,7 @@ void stream_terminate_connection(struct stream_connection *srv_conn, const char
        struct tevent_context *event_ctx = srv_conn->event.ctx;
        const struct model_ops *model_ops = srv_conn->model_ops;
        struct loadparm_context *lp_ctx = srv_conn->lp_ctx;
+       TALLOC_CTX *frame = NULL;
 
        if (!reason) reason = "unknown reason";
 
@@ -77,11 +78,20 @@ void stream_terminate_connection(struct stream_connection *srv_conn, const char
                return;
        }
 
+       frame = talloc_stackframe();
+
+       reason = talloc_strdup(frame, reason);
+       if (reason == NULL) {
+               reason = "OOM - unknown reason";
+       }
+
        talloc_free(srv_conn->event.fde);
        srv_conn->event.fde = NULL;
        imessaging_cleanup(srv_conn->msg_ctx);
        TALLOC_FREE(srv_conn);
        model_ops->terminate(event_ctx, lp_ctx, reason);
+
+       TALLOC_FREE(frame);
 }
 
 /**