From: Jeremy Allison <jra@samba.org>
Date: Thu, 16 Apr 2009 23:20:12 +0000 (-0700)
Subject: Fix bug found by Tim Prouty, logging off and then re-using a vuid can cause smbd to
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=043ade0f4dff788f81e014d3c85217377226899e;p=thirdparty%2Fsamba.git

Fix bug found by Tim Prouty, logging off and then re-using a vuid can cause smbd to
access a freed structure.
Jeremy.
---

diff --git a/source/smbd/uid.c b/source/smbd/uid.c
index 02f8cc950e9..bec820b7199 100644
--- a/source/smbd/uid.c
+++ b/source/smbd/uid.c
@@ -166,6 +166,10 @@ void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
 
 		if (ent->vuid == vuid) {
 			ent->vuid = UID_FIELD_INVALID;
+			/* Ensure we're not freeing an active pointer. */
+			if (conn->server_info == ent->server_info) {
+				conn->server_info = NULL;
+			}
 			TALLOC_FREE(ent->server_info);
 			ent->read_only = False;
 			ent->admin_user = False;
@@ -218,6 +222,13 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
 
 	server_info = vuser ? vuser->server_info : conn->server_info;
 
+	if (!server_info) {
+		/* Invalid vuid sent - even with security = share. */
+		DEBUG(2,("change_to_user: Invalid vuid %d used on "
+			 "share %s.\n",vuid, lp_servicename(snum) ));
+		return false;
+	}
+
 	if (!check_user_ok(conn, vuid, server_info, snum)) {
 		DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
 			 "not permitted access to share %s.\n",