diff options
author | Stefan Metzmacher <metze@samba.org> | 2008-12-08 15:51:01 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2008-12-08 15:51:01 +0100 |
commit | 53c41661bd9692c7bdba04b7de6adc3887ab529f (patch) | |
tree | f399a9bfb7497fcfdeb445a86cb0c54937cf6b4c | |
parent | 26200f4fb1db81be7a9da51f317e46405351b170 (diff) | |
download | samba-53c41661bd9692c7bdba04b7de6adc3887ab529f.tar.gz samba-53c41661bd9692c7bdba04b7de6adc3887ab529f.tar.bz2 samba-53c41661bd9692c7bdba04b7de6adc3887ab529f.zip |
s4:rpc_server: fix crash bugs in 26200f4fb1db81be7a9da51f317e46405351b170
call->context needs to be valid.
metze
-rw-r--r-- | source4/rpc_server/dcerpc_server.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index 533dd16263..063e3ff3bd 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -793,12 +793,14 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) context_id = call->pkt.u.alter.ctx_list[0].context_id; /* see if they are asking for a new interface */ - if (result == 0 && - dcesrv_find_context(call->conn, context_id) == NULL) { - status = dcesrv_alter_new_context(call, context_id); - if (!NT_STATUS_IS_OK(status)) { - result = DCERPC_BIND_PROVIDER_REJECT; - reason = DCERPC_BIND_REASON_ASYNTAX; + if (result == 0) { + call->context = dcesrv_find_context(call->conn, context_id); + if (!call->context) { + status = dcesrv_alter_new_context(call, context_id); + if (!NT_STATUS_IS_OK(status)) { + result = DCERPC_BIND_PROVIDER_REJECT; + reason = DCERPC_BIND_REASON_ASYNTAX; + } } } @@ -819,7 +821,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST; pkt.u.alter_resp.max_xmit_frag = 0x2000; pkt.u.alter_resp.max_recv_frag = 0x2000; - pkt.u.alter_resp.assoc_group_id = call->context->assoc_group_id; + if (result == 0) { + pkt.u.alter_resp.assoc_group_id = call->context->assoc_group_id; + } else { + pkt.u.alter_resp.assoc_group_id = 0; + } pkt.u.alter_resp.num_results = 1; pkt.u.alter_resp.ctx_list = talloc_array(call, struct dcerpc_ack_ctx, 1); if (!pkt.u.alter_resp.ctx_list) { |