DEVEL15-windows-smb-vc-uid-missing-20081117

LICENSE MIT
FIXES 123655

Protect against an smb packet containing a uid for which we have no
active session in the virtual circuit.

(cherry picked from commit 5fe7d9c6d9482651859d91f3022ac5ae0a127835)

diff --git a/src/WINNT/afsd/smb.c b/src/WINNT/afsd/smb.c
index 77ee01178729169f7ada11c50c744d33acffdf5d..64124d8367e1967f9e56ccbbb84ecec23c18a865 100644 (file)
--- a/src/WINNT/afsd/smb.c
+++ b/src/WINNT/afsd/smb.c
@@ -4073,10 +4073,11 @@ long smb_ReceiveCoreTreeConnect(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *
 
     tidp = smb_FindTID(vcp, newTid, SMB_FLAG_CREATE);
     uidp = smb_FindUID(vcp, ((smb_t *)inp)->uid, 0);
+    if (!uidp)
+        return CM_ERROR_BADSMB;
     userp = smb_GetUserFromUID(uidp);
     shareFound = smb_FindShare(vcp, uidp, shareName, &sharePath);
-    if (uidp)
-        smb_ReleaseUID(uidp);
+    smb_ReleaseUID(uidp);
     if (!shareFound) {
         smb_ReleaseTID(tidp, FALSE);
         return CM_ERROR_BADSHARENAME;

diff --git a/src/WINNT/afsd/smb_ioctl.c b/src/WINNT/afsd/smb_ioctl.c
index d15585efc38f5478d036bda17ea381c97069f152..64c829abae0fc64277abd81f5a49f8c1c2846cad 100644 (file)
--- a/src/WINNT/afsd/smb_ioctl.c
+++ b/src/WINNT/afsd/smb_ioctl.c
@@ -349,6 +349,8 @@ smb_IoctlV3Read(smb_fid_t *fidp, smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t
     count = smb_GetSMBParm(inp, 5);
        
     uidp = smb_FindUID(vcp, ((smb_t *)inp)->uid, 0);
+    if (!uidp)
+        return CM_ERROR_BADSMB;
     userp = smb_GetUserFromUID(uidp);
     osi_assertx(userp != NULL, "null cm_user_t");
     iop->uidp = uidp;