Fix for crash bug freeing a non-malloc'ed buffer if the client sends a non-encrypted...

diff --git a/source/libsmb/smb_seal.c b/source/libsmb/smb_seal.c
index a81ae9afd553643e3460f20334e873e2d32e5818..795c8bc14ca7984ec50bef5f97ad9aab8ac9bb16 100644 (file)
--- a/source/libsmb/smb_seal.c
+++ b/source/libsmb/smb_seal.c
@@ -388,10 +388,17 @@ void common_free_encryption_state(struct smb_trans_enc_state **pp_es)
 
 void common_free_enc_buffer(struct smb_trans_enc_state *es, char *buf)
 {
+       uint16_t enc_ctx_num;
+
        if (!common_encryption_on(es)) {
                return;
        }
 
+       if (!NT_STATUS_IS_OK(get_enc_ctx_num((const uint8_t *)buf,
+                       &enc_ctx_num))) {
+               return;
+       }
+
        if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
                SAFE_FREE(buf);
                return;