From 25452a2268ac7013da28125f3df22085139af12d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Tue, 9 Mar 2010 11:14:14 +0100
Subject: [PATCH] s3: Fix a NULL pointer dereference

Found by Laurent Gaffie <laurent.gaffie@gmail.com>.

Thanks!

Volker
---
 source3/smbd/process.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 65bb25db596..9a39779a2bc 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1810,6 +1810,15 @@ void chain_reply(struct smb_request *req)
 	 */
 
 	if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
+		if (req->chain_outbuf == NULL) {
+			req->chain_outbuf = TALLOC_REALLOC_ARRAY(
+				req, req->outbuf, uint8_t,
+				smb_len(req->outbuf) + 4);
+			if (req->chain_outbuf == NULL) {
+				smb_panic("talloc failed");
+			}
+		}
+		req->outbuf = NULL;
 		goto error;
 	}
 
@@ -1837,7 +1846,7 @@ void chain_reply(struct smb_request *req)
 		req->chain_outbuf = TALLOC_REALLOC_ARRAY(
 			req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
 		if (req->chain_outbuf == NULL) {
-			goto error;
+			smb_panic("talloc failed");
 		}
 		req->outbuf = NULL;
 	} else {
-- 
2.34.1