From: Samuel Cabrero Date: Thu, 16 Sep 2021 12:08:28 +0000 (+0200) Subject: s3: rpc_server: Avoid creating new handles when received an empty policy_handle X-Git-Tag: ldb-2.5.0~634 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8a93ef625fd348c1473c7a55bff480de05bdaf77;p=thirdparty%2Fsamba.git s3: rpc_server: Avoid creating new handles when received an empty policy_handle After merging s3 and s4 RPC handles implementations in commit 70fa7e817e48c9faa3c6c7ae3749e4a8ebf3e6c2 a new empty handle is allocated when find_policy_by_hnd() or close_policy_hnd() is called with an empty policy_handle (see dcesrv_handle_lookup() implementation). This new behavior was causing a crash when running samba3.rpc.mdssvc test with log level >= 10, because a debug message in _mdssvc_close() was dereferencing the handle's associated data when called from test_mdssvc_close() with an empty policy_handle. Signed-off-by: Samuel Cabrero Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Mon Sep 20 14:31:33 UTC 2021 on sn-devel-184 --- diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c index 745ea4dd6ef..fea7454874c 100644 --- a/source3/rpc_server/rpc_handles.c +++ b/source3/rpc_server/rpc_handles.c @@ -160,6 +160,15 @@ static struct dcesrv_handle *find_policy_by_hnd_internal( *data_p = NULL; } + /* + * Do not pass an empty policy_handle to dcesrv_handle_lookup() or + * it will create a new empty handle + */ + if (ndr_policy_handle_empty(hnd)) { + p->fault_state = DCERPC_FAULT_CONTEXT_MISMATCH; + return NULL; + } + /* * Do not pass handle_type to avoid setting the fault_state in the * pipes_struct if the handle type does not match