diff options
author | Volker Lendecke <Volker.Lendecke@SerNet.DE> | 2008-12-05 13:20:55 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2008-12-05 13:20:55 -0800 |
commit | ac4a77ccca08b73f828938a0cfaece66b1c9deea (patch) | |
tree | 3a118ef77872b671c088ed34c3d9d0ff2f65afe4 | |
parent | 3656cb2e57d971f8119024dff8eb3594b559592d (diff) | |
download | samba-ac4a77ccca08b73f828938a0cfaece66b1c9deea.tar.gz samba-ac4a77ccca08b73f828938a0cfaece66b1c9deea.tar.bz2 samba-ac4a77ccca08b73f828938a0cfaece66b1c9deea.zip |
Fix for crash bug freeing a non-malloc'ed buffer if the client sends a non-encrypted packet with the crypto state set.
-rw-r--r-- | source3/libsmb/smb_seal.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/source3/libsmb/smb_seal.c b/source3/libsmb/smb_seal.c index a81ae9afd5..795c8bc14c 100644 --- a/source3/libsmb/smb_seal.c +++ b/source3/libsmb/smb_seal.c @@ -388,10 +388,17 @@ void common_free_encryption_state(struct smb_trans_enc_state **pp_es) void common_free_enc_buffer(struct smb_trans_enc_state *es, char *buf) { + uint16_t enc_ctx_num; + if (!common_encryption_on(es)) { return; } + if (!NT_STATUS_IS_OK(get_enc_ctx_num((const uint8_t *)buf, + &enc_ctx_num))) { + return; + } + if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) { SAFE_FREE(buf); return; |