Check for buffer in decode_wkssvc_join_password_buffer.

author Günther Deschner <gd@samba.org>

Fri, 28 Mar 2008 12:40:13 +0000 (13:40 +0100)

committer Günther Deschner <gd@samba.org>

Fri, 28 Mar 2008 13:15:20 +0000 (14:15 +0100)
author Günther Deschner <gd@samba.org>
Fri, 28 Mar 2008 12:40:13 +0000 (13:40 +0100)
committer Günther Deschner <gd@samba.org>
Fri, 28 Mar 2008 13:15:20 +0000 (14:15 +0100)
diff --git a/source/libsmb/smbencrypt.c b/source/libsmb/smbencrypt.c

index c547a4a0034c22589594bad6dbf32ba37edfde65..e7198b801d39acb86ab85c2dac187d57f58b9d57 100644 (file)
--- a/source/libsmb/smbencrypt.c
+++ b/source/libsmb/smbencrypt.c
@@ -748,16 +748,24 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
         struct MD5Context ctx;
         uint32_t pwd_len;
  
-       DATA_BLOB confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
+       DATA_BLOB confounded_session_key;
  
         int confounder_len = 8;
         uint8_t confounder[8];
  
+       *pwd = NULL;
+
+       if (!pwd_buf) {
+               return WERR_BAD_PASSWORD;
+       }
+
         if (session_key->length != 16) {
                 DEBUG(10,("invalid session key\n"));
                 return WERR_BAD_PASSWORD;
         }
  
+       confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
+
         memcpy(&confounder, &pwd_buf->data[0], confounder_len);
         memcpy(&buffer, &pwd_buf->data[8], 516);
  
@@ -769,6 +777,7 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
         SamOEMhashBlob(buffer, 516, &confounded_session_key);
  
         if (!decode_pw_buffer(mem_ctx, buffer, pwd, &pwd_len, STR_UNICODE)) {
+               data_blob_free(&confounded_session_key);
                 return WERR_BAD_PASSWORD;
         }
author	Günther Deschner <gd@samba.org>
	Fri, 28 Mar 2008 12:40:13 +0000 (13:40 +0100)
committer	Günther Deschner <gd@samba.org>
	Fri, 28 Mar 2008 13:15:20 +0000 (14:15 +0100)