Bugs: |
|
---|
9881 smbd terminated by SIGABRT after smb_account_free()
Review Request #1229 — Created Oct. 10, 2018 and submitted
Information | |
---|---|
vgusev | |
illumos-gate | |
master | |
9881 | |
39a1b92... | |
Reviewers | |
general | |
gwr, jbk |
Fix double free when lsa_lookup_sid() failed
Double free can occur if lsa_lookup_sid() returns error with polluted @info argument.
Vulnerable are lsa_LookupSids and lsa_LookupSids2 calls.
Before fix:
~# rpcclient -U ""%"" -c "lookupsids S-1-5" 192.168.1.18
result was NT_STATUS_IO_TIMEOUTAnd core files at smb server side (/core.smbd.1538999930) .
After fix:
~# rpcclient -U ""%"" -c "lookupsids S-1-5" 192.168.1.18
S-1-5 unknown*unknown* (8)No core files at server side.
-
-
usr/src/lib/smbsrv/libmlsvc/common/lsar_svc.c (Diff revision 1) Couldn't you just have smb_account_free() reset/clear all the values after it free's them?
-
-
usr/src/lib/smbsrv/libmlsvc/common/lsar_svc.c (Diff revision 1) That's the same suggestion I made in a comment on the issue.
There are quite a few places in this file that potentially have the same problem. Having smb_account_free clear out the fields it frees would solve that problem for all those call sites.
-
-
usr/src/lib/smbsrv/libmlsvc/common/lsar_svc.c (Diff revision 1) I don't see why we need another smb_account_free call here.
Just adding the bzero is enough (but let's put it at the end of the loop, just after the existing call to smb_account_free. -
-
-
Change Summary:
- Place bzero at the end of smb_account_free().
- Fixes 'git pbchk' warings for original code:
usr/src/lib/smbsrv/libsmb/common/smb_sam.c:95: space tab sequences
usr/src/lib/smbsrv/libsmb/common/smb_sam.c:205: space tab sequences
Commit: |
|
||||
---|---|---|---|---|---|
Diff: |
Revision 2 (+6 -2) |