From 6f79eb36593a2b20e712cf7e828e987e12f8e99f Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Thu, 8 Nov 2012 12:20:30 -0500 Subject: [PATCH] Windows: Prevent SMB unitialized variable access smb_ReceiveNTTranCreate would make use of 'fidp' before it was allocated. Change-Id: Ib4a7262ba09f15049f1855535250638c2e5d17a4 Reviewed-on: http://gerrit.openafs.org/8411 Tested-by: BuildBot Reviewed-by: Jeffrey Altman --- src/WINNT/afsd/smb3.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/src/WINNT/afsd/smb3.c b/src/WINNT/afsd/smb3.c index 9507920..d18343c 100644 --- a/src/WINNT/afsd/smb3.c +++ b/src/WINNT/afsd/smb3.c @@ -8726,6 +8726,14 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_FreeSpace(spacep); } + /* open the file itself */ + fidp = smb_FindFID(vcp, 0, SMB_FLAG_CREATE); + osi_assertx(fidp, "null smb_fid_t"); + + /* save a reference to the user */ + cm_HoldUser(userp); + fidp->userp = userp; + /* if we get here, if code is 0, the file exists and is represented by * scp. Otherwise, we have to create it. The dir may be represented * by dscp, or we may have found the file directly. If code is non-zero, @@ -8738,6 +8746,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_ReleaseSCache(dscp); cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return code; } @@ -8749,6 +8759,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_ReleaseSCache(dscp); cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return CM_ERROR_EXISTS; } @@ -8781,6 +8793,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out if (scp) cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return code; } @@ -8795,6 +8809,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out /* don't create if not found */ cm_ReleaseSCache(dscp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return CM_ERROR_NOSUCHFILE; } @@ -8885,6 +8901,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out if (scp) cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return code; } @@ -8917,6 +8935,8 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_CheckNTOpenDone(scp, userp, &req, &ldp); cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return CM_ERROR_ISDIR; } @@ -8927,18 +8947,12 @@ long smb_ReceiveNTTranCreate(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *out cm_CheckNTOpenDone(scp, userp, &req, &ldp); cm_ReleaseSCache(scp); cm_ReleaseUser(userp); + smb_CloseFID(vcp, fidp, NULL, 0); + smb_ReleaseFID(fidp); free(realPathp); return CM_ERROR_NOTDIR; } - /* open the file itself */ - fidp = smb_FindFID(vcp, 0, SMB_FLAG_CREATE); - osi_assertx(fidp, "null smb_fid_t"); - - /* save a reference to the user */ - cm_HoldUser(userp); - fidp->userp = userp; - /* If we are restricting sharing, we should do so with a suitable share lock. */ if (scp->fileType == CM_SCACHETYPE_FILE && -- 1.9.4