From: Andrew Walker <awalker@ixsystems.com>
Date: Mon, 19 Dec 2022 13:17:47 +0000 (-0500)
Subject: s3:params:lp_do_section - protect against NULL deref
X-Git-Tag: samba-4.16.9~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=810ae90aa6c34694c692015bb9f47f56ada811d2;p=thirdparty%2Fsamba.git

s3:params:lp_do_section - protect against NULL deref

iServiceIndex may indicate an empty slot in the ServicePtrs
array. In this case, lpcfg_serivce_ok(ServicePtrs[iServiceIndex])
may trigger a NULL deref and crash. Skipping the check
here will cause a scan of the array in add_a_service() and the
NULL slot will be used safely.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15267

Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 20 18:49:54 UTC 2022 on sn-devel-184

(cherry picked from commit 5b19288949e97a5af742ff2719992d56f21e364a)
---

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 6d567a9e7e5..1cdfbb70276 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -2883,7 +2883,7 @@ bool lp_do_section(const char *pszSectionName, void *userdata)
 	/* if we have a current service, tidy it up before moving on */
 	bRetval = true;
 
-	if (iServiceIndex >= 0)
+	if ((iServiceIndex >= 0) && (ServicePtrs[iServiceIndex] != NULL))
 		bRetval = lpcfg_service_ok(ServicePtrs[iServiceIndex]);
 
 	/* if all is still well, move to the next record in the services array */