Avoid NULL pointer dereference in SMBsendend handler

The "reply_sendend" function wouldn't check whether the connection had
any pending message state. A client sending an out-of-order SMBsendend
message would trigger a NULL pointer dereference.

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/smbd/message.c b/source3/smbd/message.c
index 1c3976dd3e9edb822cd200d4f9d8db5bed4c6112..a4ffad57b5cebc2dff8f5d81c93f643b8cae5a91 100644 (file)
--- a/source3/smbd/message.c
+++ b/source3/smbd/message.c
@@ -306,6 +306,12 @@ void reply_sendend(struct smb_request *req)
                return;
        }
 
+       if (xconn->smb1.msg_state == NULL) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               END_PROFILE(SMBsendend);
+               return;
+       }
+
        DEBUG(3,("SMBsendend\n"));
 
        msg_deliver(xconn->smb1.msg_state);