diff options
| author | Jeremy Allison <jra@samba.org> | 2009-04-16 16:19:10 -0700 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2009-04-16 16:22:30 -0700 |
| commit | d55ec4fd237ef6ebea2ee9a55c7d85dfe21f7737 (patch) | |
| tree | 2b6649a0a357c14f3d4a2fbdf81d86a87d7076be /source3/smbd | |
| parent | 265829c32fdeea2d00a75a21b4225211b24ea62d (diff) | |
| download | samba-d55ec4fd237ef6ebea2ee9a55c7d85dfe21f7737.tar.gz samba-d55ec4fd237ef6ebea2ee9a55c7d85dfe21f7737.tar.bz2 samba-d55ec4fd237ef6ebea2ee9a55c7d85dfe21f7737.zip | |
Fix bug found by Tim Prouty, logging off and then re-using a vuid can cause smbd to
access a freed structure.
Jeremy.
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/uid.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index f8c55b1b8f..b8ed321a45 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -164,6 +164,10 @@ void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid) if (ent->vuid == vuid) { ent->vuid = UID_FIELD_INVALID; + /* Ensure we're not freeing an active pointer. */ + if (conn->server_info == ent->server_info) { + conn->server_info = NULL; + } TALLOC_FREE(ent->server_info); ent->read_only = False; ent->admin_user = False; @@ -216,6 +220,13 @@ bool change_to_user(connection_struct *conn, uint16 vuid) server_info = vuser ? vuser->server_info : conn->server_info; + if (!server_info) { + /* Invalid vuid sent - even with security = share. */ + DEBUG(2,("change_to_user: Invalid vuid %d used on " + "share %s.\n",vuid, lp_servicename(snum) )); + return false; + } + if (!check_user_ok(conn, vuid, server_info, snum)) { DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) " "not permitted access to share %s.\n", |