9881 smbd terminated by SIGABRT after smb_account_free()

Review Request #1229 - Created Oct. 10, 2018 and updated

Information
Vitaliy Gusev
illumos-gate
master
9881
39a1b92...
Reviewers
general
gwr, jbk

Fix double free when lsa_lookup_sid() failed

Double free can occur if lsa_lookup_sid() returns error with polluted @info argument.

Vulnerable are lsa_LookupSids and lsa_LookupSids2 calls.

Before fix:

~# rpcclient -U ""%"" -c "lookupsids S-1-5" 192.168.1.18
result was NT_STATUS_IO_TIMEOUT

And core files at smb server side (/core.smbd.1538999930) .

After fix:

~# rpcclient -U ""%"" -c "lookupsids S-1-5" 192.168.1.18
S-1-5 unknown*unknown* (8)

No core files at server side.

Issues

  • 0
  • 0
  • 6
  • 6
Description From Last Updated
Vitaliy Gusev
Vitaliy Gusev
Jason King
Gordon Ross
Gordon Ross
Vitaliy Gusev
Review request changed

Change Summary:

  1. Place bzero at the end of smb_account_free().
  2. Fixes 'git pbchk' warings for original code:
    usr/src/lib/smbsrv/libsmb/common/smb_sam.c:95: space tab sequences
    usr/src/lib/smbsrv/libsmb/common/smb_sam.c:205: space tab sequences

Commit:

-61d2ed7b8cd81a19572ffdb77ff3c29848c9f4c3
+39a1b92973bc8fc6ebb5d8b29f0bf3f96cde038e

Diff:

Revision 2 (+6 -2)

Show changes

Gordon Ross
Ship It!
Jason King
Ship It!
Loading...