[PATCH 13/17] smb2_ioctl: only pass through to VFS on a valid fsp
David Disseldorp
ddiss at samba.org
Tue Jan 15 09:23:08 MST 2013
A null fsp is dereferenced on VFS call.
---
source3/smbd/smb2_ioctl_network_fs.c | 30 +++++++++++++++++-------------
1 file changed, 17 insertions(+), 13 deletions(-)
diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c
index e984fea..5721a4c 100644
--- a/source3/smbd/smb2_ioctl_network_fs.c
+++ b/source3/smbd/smb2_ioctl_network_fs.c
@@ -505,19 +505,23 @@ struct tevent_req *smb2_ioctl_network_fs(uint32_t ctl_code,
uint8_t *out_data = NULL;
uint32_t out_data_len = 0;
- status = SMB_VFS_FSCTL(state->fsp,
- state,
- ctl_code,
- state->smbreq->flags2,
- state->in_input.data,
- state->in_input.length,
- &out_data,
- state->in_max_output,
- &out_data_len);
- state->out_output = data_blob_const(out_data, out_data_len);
- if (NT_STATUS_IS_OK(status)) {
- tevent_req_done(req);
- return tevent_req_post(req, ev);
+ if (state->fsp == NULL) {
+ status = NT_STATUS_NOT_SUPPORTED;
+ } else {
+ status = SMB_VFS_FSCTL(state->fsp,
+ state,
+ ctl_code,
+ state->smbreq->flags2,
+ state->in_input.data,
+ state->in_input.length,
+ &out_data,
+ state->in_max_output,
+ &out_data_len);
+ state->out_output = data_blob_const(out_data, out_data_len);
+ if (NT_STATUS_IS_OK(status)) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
}
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
--
1.7.10.4
More information about the samba-technical
mailing list