From: Volker Lendecke <vl@samba.org>
Date: Wed, 5 Jul 2023 12:07:11 +0000 (+0200)
Subject: smbd: Don't crash in cli_fsctl_send()
X-Git-Tag: tevent-0.16.0~1074
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=874c693b5817f7512cf435be498764fbe329e507;p=thirdparty%2Fsamba.git

smbd: Don't crash in cli_fsctl_send()

If you run "allinfo" on a symlink with NT1, cli_readlink_send sends a
NULL "in" blob. Do the same as smb2cli_ioctl_send() does, just send
NULL/0 in that case and don't crash.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source3/libsmb/clifile.c b/source3/libsmb/clifile.c
index bfc7e0e3699..483e453d854 100644
--- a/source3/libsmb/clifile.c
+++ b/source3/libsmb/clifile.c
@@ -7243,6 +7243,8 @@ struct tevent_req *cli_fsctl_send(
 	struct tevent_req *req = NULL, *subreq = NULL;
 	struct cli_fsctl_state *state = NULL;
 	uint16_t *setup = NULL;
+	uint8_t *data = NULL;
+	uint32_t num_data = 0;
 
 	req = tevent_req_create(mem_ctx, &state, struct cli_fsctl_state);
 	if (req == NULL) {
@@ -7268,17 +7270,29 @@ struct tevent_req *cli_fsctl_send(
 	SCVAL(setup, 6, 1);	/* IsFcntl */
 	SCVAL(setup, 7, 0);	/* IsFlags */
 
-	subreq = cli_trans_send(
-		state, ev, cli,
-		0,		/* additional_flags2 */
-		SMBnttrans,	/* cmd */
-		NULL,		/* name */
-		-1, 		/* fid */
-		NT_TRANSACT_IOCTL, /* function */
-		0,		   /* flags */
-		setup, 4, 0,	   /* setup */
-		NULL, 0, 0,	    /* param */
-		in->data, in->length, max_out); /* data */
+	if (in) {
+		data = in->data;
+		num_data = in->length;
+	}
+
+	subreq = cli_trans_send(state,
+				ev,
+				cli,
+				0,		   /* additional_flags2 */
+				SMBnttrans,	   /* cmd */
+				NULL,		   /* name */
+				-1,		   /* fid */
+				NT_TRANSACT_IOCTL, /* function */
+				0,		   /* flags */
+				setup,
+				4,
+				0, /* setup */
+				NULL,
+				0,
+				0, /* param */
+				data,
+				num_data,
+				max_out); /* data */
 
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);