FreeBSD Bugzilla – Attachment 224944 Details for
Bug 255881
[PATCH] netsmb: Fix a use after free in smb_t2_request_int
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
adds a variable "sr_flags" to avoid the uaf bug.
0001-netsmb-uaf-smb_t2_request_int.patch (text/plain), 798 bytes, created by
lylgood
on 2021-05-14 14:28:37 UTC
(
hide
)
Description:
adds a variable "sr_flags" to avoid the uaf bug.
Filename:
MIME Type:
Creator:
lylgood
Created:
2021-05-14 14:28:37 UTC
Size:
798 bytes
patch
obsolete
>diff --git a/sys/netsmb/smb_rq.c b/sys/netsmb/smb_rq.c >index 57bf053034ad..e4f3a7028575 100644 >--- a/sys/netsmb/smb_rq.c >+++ b/sys/netsmb/smb_rq.c >@@ -556,7 +556,7 @@ smb_t2_request_int(struct smb_t2rq *t2p) > struct mbuf *m; > struct smb_rq *rqp; > int totpcount, leftpcount, totdcount, leftdcount, len, txmax, i; >- int error, doff, poff, txdcount, txpcount, nmlen; >+ int error, doff, poff, txdcount, txpcount, nmlen, sr_flags; > > m = t2p->t2_tparam.mb_top; > if (m) { >@@ -737,9 +737,10 @@ smb_t2_request_int(struct smb_t2rq *t2p) > bad: > smb_iod_removerq(rqp); > freerq: >+ sr_flags = rqp->sr_flags; > smb_rq_done(rqp); > if (error) { >- if (rqp->sr_flags & SMBR_RESTART) >+ if (sr_flags & SMBR_RESTART) > t2p->t2_flags |= SMBT2_RESTART; > md_done(&t2p->t2_rparam); > md_done(&t2p->t2_rdata);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=224944">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 255881
: 224944