From patchwork Mon Oct 14 10:26:17 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Layton <jlayton@samba.org>
X-Patchwork-Id: 3035221
Return-Path: <linux-cifs-owner@kernel.org>
X-Original-To: patchwork-cifs-client@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id B45E99F243
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Mon, 14 Oct 2013 10:26:28 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 255EE20184
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Mon, 14 Oct 2013 10:26:24 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id CCEFC20174
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Mon, 14 Oct 2013 10:26:22 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754598Ab3JNK0W (ORCPT
	<rfc822;patchwork-cifs-client@patchwork.kernel.org>);
	Mon, 14 Oct 2013 06:26:22 -0400
Received: from mail-qe0-f54.google.com ([209.85.128.54]:34048 "EHLO
	mail-qe0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753874Ab3JNK0V (ORCPT
	<rfc822; linux-cifs@vger.kernel.org>); Mon, 14 Oct 2013 06:26:21 -0400
Received: by mail-qe0-f54.google.com with SMTP id 1so5202470qec.27
	for <linux-cifs@vger.kernel.org>;
	Mon, 14 Oct 2013 03:26:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:sender:from:to:subject:date:message-id;
	bh=jCacjcInvZLMk74M4UrgC4pBPo/Ur4+mnleQACYe8ow=;
	b=CNQT6HZU+CyqEtENP1TqZDWOqVrefCkpOf0s0D1vQYO6oCg4VEV2rbfHGFS6CiKlQS
	XQnfRgubmviXmDKKPeT6/UczPiXP55jilzlJMNDDC5o4RfkDMRlcNJbOk8KuornPJ7yY
	1wYsB4z2XV72VqOzX8NcHpY7nNEQjyb7IDGDA5ZLF+TmDO7F056cJsLomjA+uV5P6JOE
	FK0YqWKh3P/F3K0sh6h/HkhBXB4GO7O5MQ9aNaHDplZscnKUbEWLBJhBkQXZthUxudSy
	Dcv2KIMl9o7mzBq8jjrnj1d0UdLhByzBGtuuGzFdesS8wfF10RTerwACrnWof8UsNFDT
	cZEQ==
X-Gm-Message-State: 
 ALoCoQnjggANKNJ81PWgdSaPBUtyGO1nIRiwlmTYPBBPyliPESDPotlRmvfCTOk4BZ8Ayknz/ZgJ
X-Received: by 10.49.3.3 with SMTP id 3mr25039021qey.56.1381746381253;
	Mon, 14 Oct 2013 03:26:21 -0700 (PDT)
Received: from salusa.poochiereds.net (cpe-107-015-124-230.nc.res.rr.com.
	[107.15.124.230]) by mx.google.com with ESMTPSA id
	a9sm104181415qed.6.1969.12.31.16.00.00
	(version=TLSv1.2 cipher=RC4-SHA bits=128/128);
	Mon, 14 Oct 2013 03:26:20 -0700 (PDT)
From: Jeff Layton <jlayton@samba.org>
To: linux-cifs@vger.kernel.org
Subject: [PATCH][cifs-utils] asn1: fix use-after-free in asn1_write
Date: Mon, 14 Oct 2013 06:26:17 -0400
Message-Id: <1381746377-1870-1-git-send-email-jlayton@samba.org>
X-Mailer: git-send-email 1.8.3.1
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org
X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

If the talloc_realloc() fails, asn1_write calls talloc_free on the
context and then immediately dereferences the pointer.

Fix this by skipping the talloc_free here. Let the caller handle it.

Signed-off-by: Jeff Layton <jlayton@samba.org>
---
 asn1.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/asn1.c b/asn1.c
index ea50a23..4c0e480 100644
--- a/asn1.c
+++ b/asn1.c
@@ -47,7 +47,6 @@ bool asn1_write(struct asn1_data *data, const void *p, int len)
 		uint8_t *newp;
 		newp = talloc_realloc(data, data->data, uint8_t, data->ofs+len);
 		if (!newp) {
-			asn1_free(data);
 			data->has_error = true;
 			return false;
 		}