s3:smbd Fix segfault if register_existing_vuid() fails

The register_existing_vuid() call will handle both the ntlmssp_end and
vuid invalidation internally, so we don't want to do it again.

Andrew Bartlett

Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Signed-off-by: Andrew Tridgell <tridge@samba.org>

1 files changed, 12 insertions, 4 deletions

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index b296a1f47c..6ae7758ead 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -629,6 +629,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 				 const char *OID,
 				 bool wrap)
 {
+	bool do_invalidate = true;
 	DATA_BLOB response;
 	struct auth_serversupplied_info *server_info = NULL;
 	struct smbd_server_connection *sconn = req->sconn;
@@ -663,6 +664,11 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 					   server_info, nullblob,
 					   auth_ntlmssp_get_username(*auth_ntlmssp_state)) !=
 					   vuid) {
+			/* The problem is, *auth_ntlmssp_state points
+			 * into the vuser this will have
+			 * talloc_free()'ed in
+			 * register_existing_vuid() */
+			do_invalidate = false;
 			nt_status = NT_STATUS_LOGON_FAILURE;
 			goto out;
 		}
@@ -696,10 +702,12 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 
 	if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 		/* NB. This is *NOT* an error case. JRA */
-		auth_ntlmssp_end(auth_ntlmssp_state);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			/* Kill the intermediate vuid */
-			invalidate_vuid(sconn, vuid);
+		if (do_invalidate) {
+			auth_ntlmssp_end(auth_ntlmssp_state);
+			if (!NT_STATUS_IS_OK(nt_status)) {
+				/* Kill the intermediate vuid */
+				invalidate_vuid(sconn, vuid);
+			}
 		}
 	}
 }