s3: Fix a NULL pointer dereference

author Volker Lendecke <vl@samba.org>

Tue, 9 Mar 2010 10:14:14 +0000 (11:14 +0100)

committer Karolin Seeger <kseeger@samba.org>

Thu, 6 May 2010 12:08:30 +0000 (14:08 +0200)
author Volker Lendecke <vl@samba.org>
Tue, 9 Mar 2010 10:14:14 +0000 (11:14 +0100)
committer Karolin Seeger <kseeger@samba.org>
Thu, 6 May 2010 12:08:30 +0000 (14:08 +0200)
diff --git a/source3/smbd/process.c b/source3/smbd/process.c

index b4976f77f8d7c942df9841305fec1e7132749d2a..2abea8f4bcc3fd96d30a0f7f3331f8fb810687c9 100644 (file)
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1604,6 +1604,15 @@ void chain_reply(struct smb_request *req)
          */
  
         if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
+               if (req->chain_outbuf == NULL) {
+                       req->chain_outbuf = TALLOC_REALLOC_ARRAY(
+                               req, req->outbuf, uint8_t,
+                               smb_len(req->outbuf) + 4);
+                       if (req->chain_outbuf == NULL) {
+                               smb_panic("talloc failed");
+                       }
+               }
+               req->outbuf = NULL;
                 goto error;
         }
  
@@ -1631,7 +1640,7 @@ void chain_reply(struct smb_request *req)
                 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
                         req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
                 if (req->chain_outbuf == NULL) {
-                       goto error;
+                       smb_panic("talloc failed");
                 }
                 req->outbuf = NULL;
         } else {
author	Volker Lendecke <vl@samba.org>
	Tue, 9 Mar 2010 10:14:14 +0000 (11:14 +0100)
committer	Karolin Seeger <kseeger@samba.org>
	Thu, 6 May 2010 12:08:30 +0000 (14:08 +0200)