From 907e2f148f2dbb972675d9f39a752931fd798ec7 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Thu, 8 Nov 2012 12:20:30 -0500 Subject: [PATCH] Windows: Prevent SMB unitialized variable access smb_ReceiveNTTranCreate would make use of 'fidp' before it was allocated. Reviewed-on: http://gerrit.openafs.org/8411 Tested-by: BuildBot Reviewed-by: Jeffrey Altman (cherry picked from commit 6f79eb36593a2b20e712cf7e828e987e12f8e99f) Change-Id: Ifedf7887c76698ecb32a1c0fa9f4c01e3df74817 Reviewed-on: http://gerrit.openafs.org/8646 Tested-by: BuildBot Reviewed-by: Jeffrey Altman --- src/WINNT/afsd/smb3.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/src/WINNT/afsd/smb3.c b/src/WINNT/afsd/smb3.c index 55341831b..c2b10c397 100644 --- a/src/WINNT/afsd/smb3.c +++ b/src/WINNT/afsd/smb3.c @@ -8739,6 +8739,14 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_FreeSpace(spacep); } + /* open the file itself */ + fidp = smb_FindFID(vcp, 0, SMB_FLAG_CREATE); + osi_assertx(fidp, "null smb_fid_t"); + + /* save a reference to the user */ + cm_HoldUser(userp); + fidp->userp = userp; + /* if we get here, if code is 0, the file exists and is represented by * scp. Otherwise, we have to create it. The dir may be represented * by dscp, or we may have found the file directly. If code is non-zero, @@ -8751,6 +8759,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_ReleaseSCache(dscp); cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return code; } @@ -8762,6 +8772,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_ReleaseSCache(dscp); cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return CM_ERROR_EXISTS; } @@ -8794,6 +8806,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out if (scp) cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return code; } @@ -8808,6 +8822,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out /* don't create if not found */ cm_ReleaseSCache(dscp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return CM_ERROR_NOSUCHFILE; } @@ -8898,6 +8914,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out if (scp) cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return code; } @@ -8930,6 +8948,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_CheckNTOpenDone(scp, userp, &req, &ldp); cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return CM_ERROR_ISDIR; } @@ -8940,18 +8960,12 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_CheckNTOpenDone(scp, userp, &req, &ldp); cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return CM_ERROR_NOTDIR; } - /* open the file itself */ - fidp = smb_FindFID(vcp, 0, SMB_FLAG_CREATE); - osi_assertx(fidp, "null smb_fid_t"); - - /* save a reference to the user */ - cm_HoldUser(userp); - fidp->userp = userp; - /* If we are restricting sharing, we should do so with a suitable share lock. */ if (scp->fileType == CM_SCACHETYPE_FILE && -- 2.39.5