Windows: Prevent SMB unitialized variable access

smb_ReceiveNTTranCreate would make use of 'fidp' before it was
allocated.

Change-Id: Ib4a7262ba09f15049f1855535250638c2e5d17a4
Reviewed-on: http://gerrit.openafs.org/8411
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>

diff --git a/src/WINNT/afsd/smb3.c b/src/WINNT/afsd/smb3.c
index 9507920..d18343c 100644 (file)
--- a/src/WINNT/afsd/smb3.c
+++ b/src/WINNT/afsd/smb3.c
@@ -8726,6 +8726,14 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out
         cm_FreeSpace(spacep);
     }
 
+    /* open the file itself */
+    fidp = smb_FindFID(vcp, 0, SMB_FLAG_CREATE);
+    osi_assertx(fidp, "null smb_fid_t");
+
+    /* save a reference to the user */
+    cm_HoldUser(userp);
+    fidp->userp = userp;
+
     /* if we get here, if code is 0, the file exists and is represented by
      * scp.  Otherwise, we have to create it.  The dir may be represented
      * by dscp, or we may have found the file directly.  If code is non-zero,
@@ -8738,6 +8746,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out
             cm_ReleaseSCache(dscp);
             cm_ReleaseSCache(scp);
             cm_ReleaseUser(userp);
+           smb_CloseFID(vcp, fidp, NULL, 0);
+           smb_ReleaseFID(fidp);
             free(realPathp);
             return code;
         }
@@ -8749,6 +8759,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out
             cm_ReleaseSCache(dscp);
             cm_ReleaseSCache(scp);
             cm_ReleaseUser(userp);
+           smb_CloseFID(vcp, fidp, NULL, 0);
+           smb_ReleaseFID(fidp);
             free(realPathp);
             return CM_ERROR_EXISTS;
         }
@@ -8781,6 +8793,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out
                        if (scp)
                            cm_ReleaseSCache(scp);
                        cm_ReleaseUser(userp);
+                        smb_CloseFID(vcp, fidp, NULL, 0);
+                        smb_ReleaseFID(fidp);
                        free(realPathp);
                        return code;
                    }
@@ -8795,6 +8809,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out
         /* don't create if not found */
         cm_ReleaseSCache(dscp);
         cm_ReleaseUser(userp);
+        smb_CloseFID(vcp, fidp, NULL, 0);
+        smb_ReleaseFID(fidp);
         free(realPathp);
         return CM_ERROR_NOSUCHFILE;
     }
@@ -8885,6 +8901,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out
        if (scp)
             cm_ReleaseSCache(scp);
         cm_ReleaseUser(userp);
+        smb_CloseFID(vcp, fidp, NULL, 0);
+        smb_ReleaseFID(fidp);
         free(realPathp);
         return code;
     }
@@ -8917,6 +8935,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out
                cm_CheckNTOpenDone(scp, userp, &req, &ldp);
             cm_ReleaseSCache(scp);
             cm_ReleaseUser(userp);
+           smb_CloseFID(vcp, fidp, NULL, 0);
+           smb_ReleaseFID(fidp);
             free(realPathp);
             return CM_ERROR_ISDIR;
         }
@@ -8927,18 +8947,12 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out
            cm_CheckNTOpenDone(scp, userp, &req, &ldp);
         cm_ReleaseSCache(scp);
         cm_ReleaseUser(userp);
+        smb_CloseFID(vcp, fidp, NULL, 0);
+        smb_ReleaseFID(fidp);
         free(realPathp);
         return CM_ERROR_NOTDIR;
     }
 
-    /* open the file itself */
-    fidp = smb_FindFID(vcp, 0, SMB_FLAG_CREATE);
-    osi_assertx(fidp, "null smb_fid_t");
-
-    /* save a reference to the user */
-    cm_HoldUser(userp);
-    fidp->userp = userp;
-
     /* If we are restricting sharing, we should do so with a suitable
        share lock. */
     if (scp->fileType == CM_SCACHETYPE_FILE &&