Make sure response->extra_data.data is always cleared out

Otherwise a bad read can sometimes cause the function to return -1 with
an invalid pointer in extra_data.data, which is attempted to be freed
by the caller (e.g. libwbclient/wbc_pam.c wbcAuthenticateUserEx())
by calling winbindd_free_response().

Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
index 44bfaf42ce7e3fe2f9ccd9d86366627cb43e1610..3b67df03003c6e6a1341d1c641d00f6861793e23 100644 (file)
--- a/nsswitch/wb_common.c
+++ b/nsswitch/wb_common.c
@@ -552,6 +552,13 @@ static int winbindd_read_reply(struct winbindd_response *response)
 
        result1 = winbind_read_sock(response,
                                    sizeof(struct winbindd_response));
+
+       /* We actually send the pointer value of the extra_data field from
+          the server.  This has no meaning in the client's address space
+          so we clear it out. */
+
+       response->extra_data.data = NULL;
+
        if (result1 == -1) {
                return -1;
        }
@@ -560,12 +567,6 @@ static int winbindd_read_reply(struct winbindd_response *response)
                return -1;
        }
 
-       /* We actually send the pointer value of the extra_data field from
-          the server.  This has no meaning in the client's address space
-          so we clear it out. */
-
-       response->extra_data.data = NULL;
-
        /* Read variable length response */
 
        if (response->length > sizeof(struct winbindd_response)) {