From: Jeffrey Altman Date: Thu, 8 Nov 2012 17:20:30 +0000 (-0500) Subject: Windows: Prevent SMB unitialized variable access X-Git-Tag: upstream/1.8.0_pre1^2~1829 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=6f79eb36593a2b20e712cf7e828e987e12f8e99f;p=packages%2Fo%2Fopenafs.git Windows: Prevent SMB unitialized variable access smb_ReceiveNTTranCreate would make use of 'fidp' before it was allocated. Change-Id: Ib4a7262ba09f15049f1855535250638c2e5d17a4 Reviewed-on: http://gerrit.openafs.org/8411 Tested-by: BuildBot Reviewed-by: Jeffrey Altman --- diff --git a/src/WINNT/afsd/smb3.c b/src/WINNT/afsd/smb3.c index 95079209d..d18343c67 100644 --- a/src/WINNT/afsd/smb3.c +++ b/src/WINNT/afsd/smb3.c @@ -8726,6 +8726,14 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_FreeSpace(spacep); } + /* open the file itself */ + fidp = smb_FindFID(vcp, 0, SMB_FLAG_CREATE); + osi_assertx(fidp, "null smb_fid_t"); + + /* save a reference to the user */ + cm_HoldUser(userp); + fidp->userp = userp; + /* if we get here, if code is 0, the file exists and is represented by * scp. Otherwise, we have to create it. The dir may be represented * by dscp, or we may have found the file directly. If code is non-zero, @@ -8738,6 +8746,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_ReleaseSCache(dscp); cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return code; } @@ -8749,6 +8759,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_ReleaseSCache(dscp); cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return CM_ERROR_EXISTS; } @@ -8781,6 +8793,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out if (scp) cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return code; } @@ -8795,6 +8809,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out /* don't create if not found */ cm_ReleaseSCache(dscp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return CM_ERROR_NOSUCHFILE; } @@ -8885,6 +8901,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out if (scp) cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return code; } @@ -8917,6 +8935,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_CheckNTOpenDone(scp, userp, &req, &ldp); cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return CM_ERROR_ISDIR; } @@ -8927,18 +8947,12 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_CheckNTOpenDone(scp, userp, &req, &ldp); cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return CM_ERROR_NOTDIR; } - /* open the file itself */ - fidp = smb_FindFID(vcp, 0, SMB_FLAG_CREATE); - osi_assertx(fidp, "null smb_fid_t"); - - /* save a reference to the user */ - cm_HoldUser(userp); - fidp->userp = userp; - /* If we are restricting sharing, we should do so with a suitable share lock. */ if (scp->fileType == CM_SCACHETYPE_FILE &&