summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVolker Lendecke <Volker.Lendecke@SerNet.DE>2008-12-05 13:20:55 -0800
committerJeremy Allison <jra@samba.org>2008-12-05 13:20:55 -0800
commitac4a77ccca08b73f828938a0cfaece66b1c9deea (patch)
tree3a118ef77872b671c088ed34c3d9d0ff2f65afe4
parent3656cb2e57d971f8119024dff8eb3594b559592d (diff)
downloadsamba-ac4a77ccca08b73f828938a0cfaece66b1c9deea.tar.gz
samba-ac4a77ccca08b73f828938a0cfaece66b1c9deea.tar.bz2
samba-ac4a77ccca08b73f828938a0cfaece66b1c9deea.zip
Fix for crash bug freeing a non-malloc'ed buffer if the client sends a non-encrypted packet with the crypto state set.
-rw-r--r--source3/libsmb/smb_seal.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/source3/libsmb/smb_seal.c b/source3/libsmb/smb_seal.c
index a81ae9afd5..795c8bc14c 100644
--- a/source3/libsmb/smb_seal.c
+++ b/source3/libsmb/smb_seal.c
@@ -388,10 +388,17 @@ void common_free_encryption_state(struct smb_trans_enc_state **pp_es)
void common_free_enc_buffer(struct smb_trans_enc_state *es, char *buf)
{
+ uint16_t enc_ctx_num;
+
if (!common_encryption_on(es)) {
return;
}
+ if (!NT_STATUS_IS_OK(get_enc_ctx_num((const uint8_t *)buf,
+ &enc_ctx_num))) {
+ return;
+ }
+
if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
SAFE_FREE(buf);
return;