summaryrefslogtreecommitdiff
path: root/source3/lib/recvfile.c
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2009-05-04 08:31:40 -0700
committerJeremy Allison <jra@samba.org>2009-05-04 08:31:40 -0700
commite46a88ce35e1aba9d9a344773bc97a9f3f2bd616 (patch)
tree76a19b0c107dbc99dc93a7c68e655c9dedd28da4 /source3/lib/recvfile.c
parentd8de7e3193143ec50d86adc704123ca240a8f549 (diff)
downloadsamba-e46a88ce35e1aba9d9a344773bc97a9f3f2bd616.tar.gz
samba-e46a88ce35e1aba9d9a344773bc97a9f3f2bd616.tar.bz2
samba-e46a88ce35e1aba9d9a344773bc97a9f3f2bd616.zip
Fix bug #6315 smbd crashes doing vfs_full_audit on IPC$ close event.
The underlying problem is that once SMBulogoff is called, all server_info contexts associated with the vuid should become invalid, even if that's the context being currently used by the connection struct (tid). When the SMBtdis comes in it doesn't need a valid vuid value, but the code called inside vfs_full_audit always assumes that there is one (and hence a valid conn->server_info pointer) available. This is actually a bug inside the vfs_full_audit and other code inside Samba, which should only indirect conn->server_info on calls which require AS_USER to be set in our process table. I could fix all these issues, but there's no guarentee that someone might not add more code that fails this assumption, as it's a hard assumption to break (it's usually true). So what I've done is to ensure that on SMBulogoff the previously used conn->server_info struct is kept around to be used for print debugging purposes (it won't be used to change to an invalid user context, as such calls need AS_USER set). This isn't strictly correct, as there's no association with the (now invalid) context being freed and the call that causes conn->server_info to be indirected, but it's good enough for most cases. The hard part was to ensure that once a valid context is used again (via new sessionsetupX calls, or new calls on a still valid vuid on this tid) that we don't leak memory by simply replacing the stored conn->server_info pointer. We would never actually leak the memory (as all conn->server_info pointers are talloc children of conn), but with the previous patch a malicious client could cause many server_info structs to be talloced by the right combination of SMB calls. This new patch introduces free_conn_server_info_if_unused(), which protects against the above. Jeremy.
Diffstat (limited to 'source3/lib/recvfile.c')
0 files changed, 0 insertions, 0 deletions