From 5866bb3c57d092266ab28306c8682ddf304c219d Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 25 Sep 2015 21:06:57 +0200 Subject: [PATCH 1/2] s3: smbd: fix a crash in unix_convert() Some error code paths may result in dirpath being NULL. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11535 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit bec685fb13e7cbe3bb98e5647183720d31f1c522) --- source3/smbd/filename.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index 4d597e6..b296817 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -1014,7 +1014,7 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx, return NT_STATUS_OK; fail: DEBUG(10, ("dirpath = [%s] start = [%s]\n", dirpath, start)); - if (*dirpath != '\0') { + if (dirpath && *dirpath != '\0') { smb_fname->base_name = talloc_asprintf(smb_fname, "%s/%s", dirpath, start); } else { -- 2.1.4 From a12bf180b939567e7dfdb811396c6059f75597f0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 30 Sep 2015 17:12:11 -0700 Subject: [PATCH 2/2] s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bug #11522). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ensure dirpath can never be NULL. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11535 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Thu Oct 1 08:58:36 CEST 2015 on sn-devel-104 (cherry picked from commit f9ceaf443991e0bb5db23eeced2841436f47359e) --- source3/smbd/filename.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index b296817..f9ba2fb 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -389,6 +389,12 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx, status = map_nt_error_from_unix(errno); goto err; } + /* dirpath must exist. */ + dirpath = talloc_strdup(ctx,""); + if (dirpath == NULL) { + status = NT_STATUS_NO_MEMORY; + goto err; + } DEBUG(5, ("conversion finished %s -> %s\n", orig_path, smb_fname->base_name)); -- 2.1.4