s3:smb2_notify: fix use after free on long living notify requests

Enterprise / Samba - Stefan Metzmacher [samba.org] - 14 February 2014 04:18 UTC

This is a hack, but it should fix the bug:

change_notify_add_request() talloc moves smb_request away, which is not expected by the smb2_notify.c code...

smbd_smb2_notify_reply() uses tevent_req_defer_callback() (in older versions an immediate event) to defer the response. This is needed as change_notify_reply() will do more things after calling reply_fn() (smbd_smb2_notify_reply is this case) and often change_notify_remove_request() is called after change_notify_reply().

change_notify_remove_request() implicitly free's the smb_request that was passed to change_notify_add_request().

smbd_smb2_fake_smb_request() added the smb_request as smb2req->smb1req, which is expected to be available after smbd_smb2_notify_recv() returned.

The long term solution would be the following interface:

struct tevent_req *change_notify_request_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct files_struct *fsp, uint32_t max_length, uint32_t filter, bool recursive); NTSTATUS change_notify_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, DATA_BLOB *buffer);

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10442

e0bf930 s3:smb2_notify: fix use after free on long living notify requests
source3/smbd/smb2_notify.c | 55 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)

Upstream: gitweb.samba.org


  • Share