s3: smbd: Ensure srvstr_pull_req_talloc() always NULLs out *dest.

Robert Morris <rtm@lcs.mit.edu> noticed that in the case
where srvstr_pull_req_talloc() is being called with
buffer remaining == 0, we don't NULL out the destination
pointed which is *always* done in the codepaths inside
pull_string_talloc(). This prevents a crash in the caller.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 9220c45cc191b34e293190f6a923ba463edd5db9)

diff --git a/selftest/knownfail.d/smb1_truncated_sessetup b/selftest/knownfail.d/smb1_truncated_sessetup
deleted file mode 100644 (file)
index 2ecdbd8..0000000
--- a/selftest/knownfail.d/smb1_truncated_sessetup
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smbtorture_s3.smb1.SMB1-TRUNCATED-SESSSETUP.smbtorture\(fileserver_smb1\)

diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c
index 76e3cf789cda8c54d2f37d3104276fdb051a2738..5ff6f4db8c97bdbd05cd91572fa947c6bd894622 100644 (file)
--- a/source3/smbd/smb2_reply.c
+++ b/source3/smbd/smb2_reply.c
@@ -517,6 +517,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req,
        ssize_t bufrem = smbreq_bufrem(req, src);
 
        if (bufrem == 0) {
+               *dest = NULL;
                return 0;
        }