Fix use-after-free in asn1_write

Signed-off-by: Jeff Layton <jlayton@redhat.com>

0001-asn1-fix-use-after-free-in-asn1_write.patch

@@ -0,0 +1,30 @@
+From 3aa83995d7c0ef632fe0af3d032e48691a5ce781 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@samba.org>
+Date: Sun, 13 Oct 2013 21:07:28 -0400
+Subject: [PATCH] asn1: fix use-after-free in asn1_write
+
+If the talloc_realloc() fails, asn1_write calls talloc_free on the
+context and then immediately dereferences the pointer.
+
+Fix this by skipping the talloc_free here. Let the caller handle it.
+
+Signed-off-by: Jeff Layton <jlayton@samba.org>
+---
+ asn1.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/asn1.c b/asn1.c
+index ea50a23..4c0e480 100644
+--- a/asn1.c
++++ b/asn1.c
+@@ -47,7 +47,6 @@ bool asn1_write(struct asn1_data *data, const void *p, int len)
+ 		uint8_t *newp;
+ 		newp = talloc_realloc(data, data->data, uint8_t, data->ofs+len);
+ 		if (!newp) {
+-			asn1_free(data);
+ 			data->has_error = true;
+ 			return false;
+ 		}
+-- 
+1.8.3.1
+

cifs-utils.spec

@@ -23,6 +23,7 @@ Patch2:          0002-getcifsacl-remove-some-dead-code.patch
 Patch3:          0003-asn1-remove-some-usused-functions.patch
 Patch4:          0004-data_blob-clean-out-unused-functions.patch
 Patch5:          0005-mount.cifs-fix-bad-free-of-string-returned-by-dirnam.patch
+Patch6:		 0001-asn1-fix-use-after-free-in-asn1_write.patch
 
 %description
 The SMB/CIFS protocol is a standard file sharing protocol widely deployed
@@ -48,6 +49,7 @@ necessary for building ID mapping plugins for cifs-utils.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 %build
 %configure --prefix=/usr ROOTSBINDIR=%{_sbindir}
@@ -97,6 +99,9 @@ fi
 %{_includedir}/cifsidmap.h
 
 %changelog
+* Mon Oct 14 2013 Jeff Layton <jlayton@redhat.com> 6.2-4
+- fix use-after-free in asn1_write
+
 * Fri Oct 11 2013 Jeff Layton <jlayton@redhat.com> 6.2-3
 - fixes for bugs reported by coverity:
 - update bad bit shift patch with one that patches getcifsacl.c too