From c3cc51e8a2f31565c3bac219ea3a78ab4287bcd5 Mon Sep 17 00:00:00 2001
From: David Disseldorp <ddiss@samba.org>
Date: Tue, 15 Jan 2013 17:23:08 +0100
Subject: smb2_ioctl: only pass through to VFS on a valid fsp

A null fsp is dereferenced on VFS call.

Reviewed by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/smb2_ioctl_network_fs.c | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c
index e984fea4e7..5721a4cc63 100644
--- a/source3/smbd/smb2_ioctl_network_fs.c
+++ b/source3/smbd/smb2_ioctl_network_fs.c
@@ -505,19 +505,23 @@ struct tevent_req *smb2_ioctl_network_fs(uint32_t ctl_code,
 		uint8_t *out_data = NULL;
 		uint32_t out_data_len = 0;
 
-		status = SMB_VFS_FSCTL(state->fsp,
-				       state,
-				       ctl_code,
-				       state->smbreq->flags2,
-				       state->in_input.data,
-				       state->in_input.length,
-				       &out_data,
-				       state->in_max_output,
-				       &out_data_len);
-		state->out_output = data_blob_const(out_data, out_data_len);
-		if (NT_STATUS_IS_OK(status)) {
-			tevent_req_done(req);
-			return tevent_req_post(req, ev);
+		if (state->fsp == NULL) {
+			status = NT_STATUS_NOT_SUPPORTED;
+		} else {
+			status = SMB_VFS_FSCTL(state->fsp,
+					       state,
+					       ctl_code,
+					       state->smbreq->flags2,
+					       state->in_input.data,
+					       state->in_input.length,
+					       &out_data,
+					       state->in_max_output,
+					       &out_data_len);
+			state->out_output = data_blob_const(out_data, out_data_len);
+			if (NT_STATUS_IS_OK(status)) {
+				tevent_req_done(req);
+				return tevent_req_post(req, ev);
+			}
 		}
 
 		if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
-- 
cgit