windows-smb-vc-uid-missing-20081117

LICENSE MIT
FIXES 123655

Protect against an smb packet containing a uid for which we have no
active session in the virtual circuit.

diff --git a/src/WINNT/afsd/smb.c b/src/WINNT/afsd/smb.c
index ece4ff4c385e3acaef154c846d197eedd9cb1524..5e8624758e7f9dbfb4b9b5f82b944b7d179893a8 100644 (file)
--- a/src/WINNT/afsd/smb.c
+++ b/src/WINNT/afsd/smb.c
@@ -4073,10 +4073,11 @@ long smb_ReceiveCoreTreeConnect(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *
 
     tidp = smb_FindTID(vcp, newTid, SMB_FLAG_CREATE);
     uidp = smb_FindUID(vcp, ((smb_t *)inp)->uid, 0);
+    if (!uidp)
+        return CM_ERROR_BADSMB;
     userp = smb_GetUserFromUID(uidp);
     shareFound = smb_FindShare(vcp, uidp, shareName, &sharePath);
-    if (uidp)
-        smb_ReleaseUID(uidp);
+    smb_ReleaseUID(uidp);
     if (!shareFound) {
         smb_ReleaseTID(tidp, FALSE);
         return CM_ERROR_BADSHARENAME;

diff --git a/src/WINNT/afsd/smb_ioctl.c b/src/WINNT/afsd/smb_ioctl.c
index 8b35443ca2da6362cdcbe49edfc9da45b2b9d618..eb9e67996355c44014f46259361175ed5a569d50 100644 (file)
--- a/src/WINNT/afsd/smb_ioctl.c
+++ b/src/WINNT/afsd/smb_ioctl.c
@@ -349,6 +349,8 @@ smb_IoctlV3Read(smb_fid_t *fidp, smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t
     count = smb_GetSMBParm(inp, 5);
        
     uidp = smb_FindUID(vcp, ((smb_t *)inp)->uid, 0);
+    if (!uidp)
+        return CM_ERROR_BADSMB;
     userp = smb_GetUserFromUID(uidp);
     osi_assertx(userp != NULL, "null cm_user_t");
     iop->uidp = uidp;