Fix bug found by Tim Prouty, logging off and then re-using a vuid can cause smbd to

author Jeremy Allison <jra@samba.org>

Thu, 16 Apr 2009 23:19:10 +0000 (16:19 -0700)

committer Jeremy Allison <jra@samba.org>

Thu, 16 Apr 2009 23:22:30 +0000 (16:22 -0700)
author Jeremy Allison <jra@samba.org>
Thu, 16 Apr 2009 23:19:10 +0000 (16:19 -0700)
committer Jeremy Allison <jra@samba.org>
Thu, 16 Apr 2009 23:22:30 +0000 (16:22 -0700)
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c

index f8c55b1b8f8fbe4e6b19c2149a1a28ec9f5410ec..b8ed321a4589042ae6e778c235a3e72c61ccc163 100644 (file)
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -164,6 +164,10 @@ void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
  
                 if (ent->vuid == vuid) {
                         ent->vuid = UID_FIELD_INVALID;
+                       /* Ensure we're not freeing an active pointer. */
+                       if (conn->server_info == ent->server_info) {
+                               conn->server_info = NULL;
+                       }
                         TALLOC_FREE(ent->server_info);
                         ent->read_only = False;
                         ent->admin_user = False;
@@ -216,6 +220,13 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
  
         server_info = vuser ? vuser->server_info : conn->server_info;
  
+       if (!server_info) {
+               /* Invalid vuid sent - even with security = share. */
+               DEBUG(2,("change_to_user: Invalid vuid %d used on "
+                        "share %s.\n",vuid, lp_servicename(snum) ));
+               return false;
+       }
+
         if (!check_user_ok(conn, vuid, server_info, snum)) {
                 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
                          "not permitted access to share %s.\n",
author	Jeremy Allison <jra@samba.org>
	Thu, 16 Apr 2009 23:19:10 +0000 (16:19 -0700)
committer	Jeremy Allison <jra@samba.org>
	Thu, 16 Apr 2009 23:22:30 +0000 (16:22 -0700)