Check for buffer in decode_wkssvc_join_password_buffer.

Guenther
(This used to be commit 2134d80c05fd7a37f44317335b40d7961c429c7b)

1 files changed, 10 insertions, 1 deletions

diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c
index c547a4a003..e7198b801d 100644
--- a/source3/libsmb/smbencrypt.c
+++ b/source3/libsmb/smbencrypt.c
@@ -748,16 +748,24 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
 	struct MD5Context ctx;
 	uint32_t pwd_len;
 
-	DATA_BLOB confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
+	DATA_BLOB confounded_session_key;
 
 	int confounder_len = 8;
 	uint8_t confounder[8];
 
+	*pwd = NULL;
+
+	if (!pwd_buf) {
+		return WERR_BAD_PASSWORD;
+	}
+
 	if (session_key->length != 16) {
 		DEBUG(10,("invalid session key\n"));
 		return WERR_BAD_PASSWORD;
 	}
 
+	confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
+
 	memcpy(&confounder, &pwd_buf->data[0], confounder_len);
 	memcpy(&buffer, &pwd_buf->data[8], 516);
 
@@ -769,6 +777,7 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
 	SamOEMhashBlob(buffer, 516, &confounded_session_key);
 
 	if (!decode_pw_buffer(mem_ctx, buffer, pwd, &pwd_len, STR_UNICODE)) {
+		data_blob_free(&confounded_session_key);
 		return WERR_BAD_PASSWORD;
 	}