DEVEL15-windows-smb-out-of-memory-20071129

It turns out that LsaCallAuthenticationPackage can succeed but still
fail with an extended error.  The one case that we have seen reported
is STATUS_NO_MEMORY which would be produced when the paging file is
full.  This could be a transient error that will be resolved after
Windows increases the paging file size.

Instead of crashing under this condition we should force the authentication
to fail and permit the client to retry.

WER 567093715-1-0405174244

(cherry picked from commit ee839a167eea5c0b3e2a45bf1e47b268419dc04e)

diff --git a/src/WINNT/afsd/smb.c b/src/WINNT/afsd/smb.c
index 781fa3c655f699d6396102db9554869f6ab61915..8597476fd88bc88075123ce9a81b509a288f61f1 100644 (file)
--- a/src/WINNT/afsd/smb.c
+++ b/src/WINNT/afsd/smb.c
@@ -936,7 +936,7 @@ smb_vc_t *smb_FindVC(unsigned short lsn, int flags, int lana)
              */
             NTSTATUS nts = STATUS_UNSUCCESSFUL, ntsEx = STATUS_UNSUCCESSFUL;
             MSV1_0_LM20_CHALLENGE_REQUEST lsaReq;
-            PMSV1_0_LM20_CHALLENGE_RESPONSE lsaResp;
+            PMSV1_0_LM20_CHALLENGE_RESPONSE lsaResp = NULL;
             ULONG lsaRespSize = 0;
 
             lsaReq.MessageType = MsV1_0Lm20ChallengeRequest;
@@ -948,13 +948,25 @@ smb_vc_t *smb_FindVC(unsigned short lsn, int flags, int lana)
                                                 &lsaResp,
                                                 &lsaRespSize,
                                                 &ntsEx);
-            if (nts != STATUS_SUCCESS)
+            if (nts != STATUS_SUCCESS || ntsEx != STATUS_SUCCESS) {
                 osi_Log4(smb_logp,"MsV1_0Lm20ChallengeRequest failure: nts 0x%x ntsEx 0x%x respSize is %u needs %u",
                          nts, ntsEx, sizeof(lsaReq), lsaRespSize);
+                    afsi_log("MsV1_0Lm20ChallengeRequest failure: nts 0x%x ntsEx 0x%x respSize %u",
+                         nts, ntsEx, lsaRespSize);
+            }
             osi_assertx(nts == STATUS_SUCCESS, "LsaCallAuthenticationPackage failed"); /* this had better work! */
 
-            memcpy(vcp->encKey, lsaResp->ChallengeToClient, MSV1_0_CHALLENGE_LENGTH);
-            LsaFreeReturnBuffer(lsaResp);
+            if (ntsEx == STATUS_SUCCESS) {
+                memcpy(vcp->encKey, lsaResp->ChallengeToClient, MSV1_0_CHALLENGE_LENGTH);
+                LsaFreeReturnBuffer(lsaResp);
+            } else {
+                /* 
+                 * This will cause the subsequent authentication to fail but
+                 * that is better than us dereferencing a NULL pointer and 
+                 * crashing.
+                 */
+                memset(vcp->encKey, 0, MSV1_0_CHALLENGE_LENGTH);
+            }
         }
         else
             memset(vcp->encKey, 0, MSV1_0_CHALLENGE_LENGTH);