From 764cfda2804d036e418365ceac92c2cb8a07577a Mon Sep 17 00:00:00 2001
From: Matthew Newton <mcn4@leicester.ac.uk>
Date: Thu, 8 Jan 2015 15:11:15 +0000
Subject: Make sure response->extra_data.data is always cleared out

Otherwise a bad read can sometimes cause the function to return -1 with
an invalid pointer in extra_data.data, which is attempted to be freed
by the caller (e.g. libwbclient/wbc_pam.c wbcAuthenticateUserEx())
by calling winbindd_free_response().

Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 nsswitch/wb_common.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'nsswitch/wb_common.c')

diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
index 44bfaf42ce..3b67df0300 100644
--- a/nsswitch/wb_common.c
+++ b/nsswitch/wb_common.c
@@ -552,6 +552,13 @@ static int winbindd_read_reply(struct winbindd_response *response)
 
 	result1 = winbind_read_sock(response,
 				    sizeof(struct winbindd_response));
+
+	/* We actually send the pointer value of the extra_data field from
+	   the server.  This has no meaning in the client's address space
+	   so we clear it out. */
+
+	response->extra_data.data = NULL;
+
 	if (result1 == -1) {
 		return -1;
 	}
@@ -560,12 +567,6 @@ static int winbindd_read_reply(struct winbindd_response *response)
 		return -1;
 	}
 
-	/* We actually send the pointer value of the extra_data field from
-	   the server.  This has no meaning in the client's address space
-	   so we clear it out. */
-
-	response->extra_data.data = NULL;
-
 	/* Read variable length response */
 
 	if (response->length > sizeof(struct winbindd_response)) {
-- 
cgit