From a27c39c2c9fd3161f5bf3ae5dba687c8d49519ef Mon Sep 17 00:00:00 2001
From: Michael Hanselmann <public@hansmi.ch>
Date: Wed, 6 Mar 2019 23:44:23 +0100
Subject: [PATCH] Avoid NULL pointer dereference in SMBsendend handler

The "reply_sendend" function wouldn't check whether the connection had
any pending message state. A client sending an out-of-order SMBsendend
message would trigger a NULL pointer dereference.

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/smbd/message.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source3/smbd/message.c b/source3/smbd/message.c
index 1c3976dd3e9..a4ffad57b5c 100644
--- a/source3/smbd/message.c
+++ b/source3/smbd/message.c
@@ -306,6 +306,12 @@ void reply_sendend(struct smb_request *req)
 		return;
 	}
 
+	if (xconn->smb1.msg_state == NULL) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		END_PROFILE(SMBsendend);
+		return;
+	}
+
 	DEBUG(3,("SMBsendend\n"));
 
 	msg_deliver(xconn->smb1.msg_state);
-- 
2.34.1