From f1d9382b18fbf4b9428759cdeea3894b7871e236 Mon Sep 17 00:00:00 2001
From: Kamen Mazdrashki <kamen.mazdrashki@postpath.com>
Date: Sun, 6 Dec 2009 01:59:42 +0200
Subject: s4/smbstreams: Fix memory use after free.

The bug is that sometimes 'streams' is parent for 'new_name'.
With this said, 'new_name' must be dupped before 'streams'
pointer is freed.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
---
 source4/ntvfs/posix/pvfs_streams.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'source4/ntvfs/posix')

diff --git a/source4/ntvfs/posix/pvfs_streams.c b/source4/ntvfs/posix/pvfs_streams.c
index 4da95432c1..cacd8c1995 100644
--- a/source4/ntvfs/posix/pvfs_streams.c
+++ b/source4/ntvfs/posix/pvfs_streams.c
@@ -304,11 +304,15 @@ NTSTATUS pvfs_stream_rename(struct pvfs_state *pvfs, struct pvfs_filename *name,
 	}
 
 	status = pvfs_streams_save(pvfs, name, fd, streams);
-	talloc_free(streams);
 
-	/* update the in-memory copy of the name of the open file */
-	talloc_free(name->stream_name);
-	name->stream_name = talloc_strdup(name, new_name);
+	if (NT_STATUS_IS_OK(status)) {
+
+		/* update the in-memory copy of the name of the open file */
+		talloc_free(name->stream_name);
+		name->stream_name = talloc_strdup(name, new_name);
+
+		talloc_free(streams);
+	}
 
 	return status;
 }
-- 
cgit