[cifs-utils/f19] Fix use-after-free in asn1_write
Jeff Layton
jlayton at fedoraproject.org
Mon Oct 14 10:58:57 UTC 2013
commit f1f3e0dba1362df83a67964d7dd8d318d97137ef
Author: Jeff Layton <jlayton at redhat.com>
Date: Mon Oct 14 06:58:40 2013 -0400
Fix use-after-free in asn1_write
Signed-off-by: Jeff Layton <jlayton at redhat.com>
0001-asn1-fix-use-after-free-in-asn1_write.patch | 30 ++++++++++++++++++++++
cifs-utils.spec | 7 ++++-
2 files changed, 36 insertions(+), 1 deletions(-)
---
diff --git a/0001-asn1-fix-use-after-free-in-asn1_write.patch b/0001-asn1-fix-use-after-free-in-asn1_write.patch
new file mode 100644
index 0000000..ff9be39
--- /dev/null
+++ b/0001-asn1-fix-use-after-free-in-asn1_write.patch
@@ -0,0 +1,30 @@
+From 3aa83995d7c0ef632fe0af3d032e48691a5ce781 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at samba.org>
+Date: Sun, 13 Oct 2013 21:07:28 -0400
+Subject: [PATCH] asn1: fix use-after-free in asn1_write
+
+If the talloc_realloc() fails, asn1_write calls talloc_free on the
+context and then immediately dereferences the pointer.
+
+Fix this by skipping the talloc_free here. Let the caller handle it.
+
+Signed-off-by: Jeff Layton <jlayton at samba.org>
+---
+ asn1.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/asn1.c b/asn1.c
+index ea50a23..4c0e480 100644
+--- a/asn1.c
++++ b/asn1.c
+@@ -47,7 +47,6 @@ bool asn1_write(struct asn1_data *data, const void *p, int len)
+ uint8_t *newp;
+ newp = talloc_realloc(data, data->data, uint8_t, data->ofs+len);
+ if (!newp) {
+- asn1_free(data);
+ data->has_error = true;
+ return false;
+ }
+--
+1.8.3.1
+
diff --git a/cifs-utils.spec b/cifs-utils.spec
index 2d8e382..37ee458 100644
--- a/cifs-utils.spec
+++ b/cifs-utils.spec
@@ -3,7 +3,7 @@
Name: cifs-utils
Version: 6.2
-Release: 3%{pre_release}%{?dist}
+Release: 4%{pre_release}%{?dist}
Summary: Utilities for mounting and managing CIFS mounts
Group: System Environment/Daemons
@@ -23,6 +23,7 @@ Patch2: 0002-getcifsacl-remove-some-dead-code.patch
Patch3: 0003-asn1-remove-some-usused-functions.patch
Patch4: 0004-data_blob-clean-out-unused-functions.patch
Patch5: 0005-mount.cifs-fix-bad-free-of-string-returned-by-dirnam.patch
+Patch6: 0001-asn1-fix-use-after-free-in-asn1_write.patch
%description
The SMB/CIFS protocol is a standard file sharing protocol widely deployed
@@ -48,6 +49,7 @@ necessary for building ID mapping plugins for cifs-utils.
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
%build
%configure --prefix=/usr ROOTSBINDIR=%{_sbindir}
@@ -97,6 +99,9 @@ fi
%{_includedir}/cifsidmap.h
%changelog
+* Mon Oct 14 2013 Jeff Layton <jlayton at redhat.com> 6.2-4
+- fix use-after-free in asn1_write
+
* Fri Oct 11 2013 Jeff Layton <jlayton at redhat.com> 6.2-3
- fixes for bugs reported by coverity:
- update bad bit shift patch with one that patches getcifsacl.c too
More information about the scm-commits
mailing list