s3: smbd: init_smb1_request() isn't being passed zero'ed memory from any codepath.

If a client does a SMB1 NEGPROT followed by SMB1 TCON
then req->session is left uninitialized.

Show this causes a crash by deliberately initializing
req->session to an invalid pointer. This will be removed
once the test shows the crash, and the fix is added to
cause init_smb1_request() to zero the memory passed in.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15432

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

diff --git a/source3/smbd/smb2_process.c b/source3/smbd/smb2_process.c
index 923810eeff63174f609a30b86a2e91a35d273bca..99e30481491612764d532d2e792802388e2476d6 100644 (file)
--- a/source3/smbd/smb2_process.c
+++ b/source3/smbd/smb2_process.c
@@ -760,6 +760,7 @@ bool init_smb1_request(struct smb_request *req,
        req->smb2req = NULL;
        req->chain = NULL;
        req->posix_pathnames = lp_posix_pathnames();
+       req->session = (void *)0xDEADBEEF;
 
        /* Ensure we have at least wct words and 2 bytes of bcc. */
        if (smb_size + req->wct*2 > req_size) {