Avoid NULL pointer dereference in SMBsendend handler

The "reply_sendend" function wouldn't check whether the connection had any pending message state. A client sending an out-of-order SMBsendend message would trigger a NULL pointer dereference. Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Michael Hanselmann <public@hansmi.ch> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Michael Hanselmann <public@hansmi.ch> 2019-03-06 23:44:23 +0100
committer: Andrew Bartlett <abartlet@samba.org> 2019-03-12 00:42:19 +0000
commit: a27c39c2c9fd3161f5bf3ae5dba687c8d49519ef (patch)
tree: 2b9390d86f3401692fb5e2a47febd6e7dcaad34e /source3
parent: 0a804d38c4a7fed7aef6c357091ec5790bec7873 (diff)
download: samba-a27c39c2c9fd3161f5bf3ae5dba687c8d49519ef.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/source3/smbd/message.c b/source3/smbd/message.c
index 1c3976dd3e9..a4ffad57b5c 100644
--- a/source3/smbd/message.c
+++ b/source3/smbd/message.c
@@ -306,6 +306,12 @@ void reply_sendend(struct smb_request *req)
 		return;
 	}
 
+	if (xconn->smb1.msg_state == NULL) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		END_PROFILE(SMBsendend);
+		return;
+	}
+
 	DEBUG(3,("SMBsendend\n"));
 
 	msg_deliver(xconn->smb1.msg_state);
author	Michael Hanselmann <public@hansmi.ch>	2019-03-06 23:44:23 +0100
committer	Andrew Bartlett <abartlet@samba.org>	2019-03-12 00:42:19 +0000
commit	a27c39c2c9fd3161f5bf3ae5dba687c8d49519ef (patch)
tree	2b9390d86f3401692fb5e2a47febd6e7dcaad34e /source3
parent	0a804d38c4a7fed7aef6c357091ec5790bec7873 (diff)
download	samba-a27c39c2c9fd3161f5bf3ae5dba687c8d49519ef.tar.gz