From 0d01efdcb106938a82d7273277869fcf3003e8c5 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sat, 22 Jul 2017 09:36:18 -0700 Subject: [PATCH] s3: libsmb: Fix use-after-free when accessing pointer *p. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit talloc_asprintf_append() might call realloc() and therefore move the memory address of "path". BUG: https://bugzilla.samba.org/show_bug.cgi?id=12927 Signed-off-by: Thomas Jarosch Reviewed-by: Jeremy Allison Reviewed-by: Ralph Böhme Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Jul 22 22:45:05 CEST 2017 on sn-devel-144 (cherry picked from commit 890137cffedcaf88a9ff808c01335ee14fcfd8da) --- source3/libsmb/libsmb_dir.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c index 4a4e08412bc..8038584138b 100644 --- a/source3/libsmb/libsmb_dir.c +++ b/source3/libsmb/libsmb_dir.c @@ -379,9 +379,9 @@ SMBC_opendir_ctx(SMBCCTX *context, char *options = NULL; char *workgroup = NULL; char *path = NULL; + size_t path_len = 0; uint16_t mode; uint16_t port = 0; - char *p = NULL; SMBCSRV *srv = NULL; SMBCFILE *dir = NULL; struct sockaddr_storage rem_ss; @@ -802,7 +802,7 @@ SMBC_opendir_ctx(SMBCCTX *context, /* Now, list the files ... */ - p = path + strlen(path); + path_len = strlen(path); path = talloc_asprintf_append(path, "\\*"); if (!path) { if (dir) { @@ -844,7 +844,7 @@ SMBC_opendir_ctx(SMBCCTX *context, * got would have been EINVAL rather * than ENOTDIR. */ - *p = '\0'; /* restore original path */ + path[path_len] = '\0'; /* restore original path */ if (SMBC_getatr(context, srv, path, &mode, NULL, -- 2.11.0