[PATCH 13/17] smb2_ioctl: only pass through to VFS on a valid fsp

David Disseldorp ddiss at samba.org
Tue Jan 15 09:23:08 MST 2013


A null fsp is dereferenced on VFS call.
---
 source3/smbd/smb2_ioctl_network_fs.c |   30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c
index e984fea..5721a4c 100644
--- a/source3/smbd/smb2_ioctl_network_fs.c
+++ b/source3/smbd/smb2_ioctl_network_fs.c
@@ -505,19 +505,23 @@ struct tevent_req *smb2_ioctl_network_fs(uint32_t ctl_code,
 		uint8_t *out_data = NULL;
 		uint32_t out_data_len = 0;
 
-		status = SMB_VFS_FSCTL(state->fsp,
-				       state,
-				       ctl_code,
-				       state->smbreq->flags2,
-				       state->in_input.data,
-				       state->in_input.length,
-				       &out_data,
-				       state->in_max_output,
-				       &out_data_len);
-		state->out_output = data_blob_const(out_data, out_data_len);
-		if (NT_STATUS_IS_OK(status)) {
-			tevent_req_done(req);
-			return tevent_req_post(req, ev);
+		if (state->fsp == NULL) {
+			status = NT_STATUS_NOT_SUPPORTED;
+		} else {
+			status = SMB_VFS_FSCTL(state->fsp,
+					       state,
+					       ctl_code,
+					       state->smbreq->flags2,
+					       state->in_input.data,
+					       state->in_input.length,
+					       &out_data,
+					       state->in_max_output,
+					       &out_data_len);
+			state->out_output = data_blob_const(out_data, out_data_len);
+			if (NT_STATUS_IS_OK(status)) {
+				tevent_req_done(req);
+				return tevent_req_post(req, ev);
+			}
 		}
 
 		if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
-- 
1.7.10.4



More information about the samba-technical mailing list