From 33860a8434b7892c0d2f4f50effc448fa4a6e160 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@sernet.de>
Date: Tue, 4 Dec 2007 13:16:37 +0100
Subject: [PATCH] Correctly invalidate intermediate vuids

Because of the "&& usp->server_info" test in get_valid_user_struct,
invalidate_vuid() called for an intermediate vuid would never do what it was
supposed to do. There is no server_info in the intermediate vuids.

This fixes a memleak, it was found for a client that does silly sequences of
sesssionsetup/ulogoff for every operation.
---
 source/smbd/password.c  | 13 +++++++++++++
 source/smbd/sesssetup.c | 18 +++++++++---------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/source/smbd/password.c b/source/smbd/password.c
index 4ea1d9a83f4..8f75ea823f8 100644
--- a/source/smbd/password.c
+++ b/source/smbd/password.c
@@ -116,6 +116,19 @@ void invalidate_vuid(uint16 vuid)
 	num_validated_vuids--;
 }
 
+void invalidate_intermediate_vuid(uint16 vuid)
+{
+	user_struct *vuser = get_partial_auth_user_struct(vuid);
+
+	if (vuser == NULL)
+		return;
+
+	DLIST_REMOVE(validated_users, vuser);
+
+	SAFE_FREE(vuser);
+	num_validated_vuids--;
+}
+
 /****************************************************************************
  Invalidate all vuid entries for this process.
 ****************************************************************************/
diff --git a/source/smbd/sesssetup.c b/source/smbd/sesssetup.c
index 058faedd5ea..d9a52625fe1 100644
--- a/source/smbd/sesssetup.c
+++ b/source/smbd/sesssetup.c
@@ -624,7 +624,7 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *inbuf, char *out
 		/* NB. This is *NOT* an error case. JRA */
 		auth_ntlmssp_end(auth_ntlmssp_state);
 		/* Kill the intermediate vuid */
-		invalidate_vuid(vuid);
+		invalidate_intermediate_vuid(vuid);
 	}
 
 	return ret;
@@ -690,7 +690,7 @@ static int reply_spnego_negotiate(connection_struct *conn,
 	status = parse_spnego_mechanisms(blob1, &secblob, &got_kerberos_mechanism);
 	if (!NT_STATUS_IS_OK(status)) {
 		/* Kill the intermediate vuid */
-		invalidate_vuid(vuid);
+		invalidate_intermediate_vuid(vuid);
 		return ERROR_NT(nt_status_squash(status));
 	}
 
@@ -704,7 +704,7 @@ static int reply_spnego_negotiate(connection_struct *conn,
 		data_blob_free(&secblob);
 		if (destroy_vuid) {
 			/* Kill the intermediate vuid */
-			invalidate_vuid(vuid);
+			invalidate_intermediate_vuid(vuid);
 		}
 		return ret;
 	}
@@ -717,7 +717,7 @@ static int reply_spnego_negotiate(connection_struct *conn,
 	status = auth_ntlmssp_start(auth_ntlmssp_state);
 	if (!NT_STATUS_IS_OK(status)) {
 		/* Kill the intermediate vuid */
-		invalidate_vuid(vuid);
+		invalidate_intermediate_vuid(vuid);
 		return ERROR_NT(nt_status_squash(status));
 	}
 
@@ -755,7 +755,7 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
 		file_save("auth.dat", blob1.data, blob1.length);
 #endif
 		/* Kill the intermediate vuid */
-		invalidate_vuid(vuid);
+		invalidate_intermediate_vuid(vuid);
 
 		return ERROR_NT(nt_status_squash(NT_STATUS_INVALID_PARAMETER));
 	}
@@ -776,7 +776,7 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
 				data_blob_free(&auth);
 				if (destroy_vuid) {
 					/* Kill the intermediate vuid */
-					invalidate_vuid(vuid);
+					invalidate_intermediate_vuid(vuid);
 				}
 				return ret;
 			}
@@ -789,7 +789,7 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
 	
 	if (!*auth_ntlmssp_state) {
 		/* Kill the intermediate vuid */
-		invalidate_vuid(vuid);
+		invalidate_intermediate_vuid(vuid);
 
 		/* auth before negotiatiate? */
 		return ERROR_NT(nt_status_squash(NT_STATUS_INVALID_PARAMETER));
@@ -1112,7 +1112,7 @@ static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,
 	if (!NT_STATUS_IS_OK(status)) {
 		if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 			/* Real error - kill the intermediate vuid */
-			invalidate_vuid(vuid);
+			invalidate_intermediate_vuid(vuid);
 		}
 		data_blob_free(&blob1);
 		return ERROR_NT(nt_status_squash(status));
@@ -1140,7 +1140,7 @@ static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,
 			status = auth_ntlmssp_start(&vuser->auth_ntlmssp_state);
 			if (!NT_STATUS_IS_OK(status)) {
 				/* Kill the intermediate vuid */
-				invalidate_vuid(vuid);
+				invalidate_intermediate_vuid(vuid);
 				data_blob_free(&blob1);
 				return ERROR_NT(nt_status_squash(status));
 			}
-- 
2.47.3