r17918: * NULL deref fixes

* time fixes for tortore
* nmbd crash fix

6 files changed, 22 insertions, 13 deletions

diff --git a/source/nmbd/nmbd_namequery.c b/source/nmbd/nmbd_namequery.c
index 1b07852f111..2c1cd130345 100644
--- a/source/nmbd/nmbd_namequery.c
+++ b/source/nmbd/nmbd_namequery.c
@@ -59,7 +59,15 @@ static void query_name_response( struct subnet_record   *subrec,
   
 			rrec->repeat_count = 0;
 			/* How long we should wait for. */
-			rrec->repeat_time = p->timestamp + nmb->answers->ttl;
+			if (nmb->answers) {
+				rrec->repeat_time = p->timestamp + nmb->answers->ttl;
+			} else {
+				/* No answer - this is probably a corrupt
+				   packet.... */
+				DEBUG(0,("query_name_response: missing answer record in "
+					"NMB_WACK_OPCODE response.\n"));
+				rrec->repeat_time = p->timestamp + 10;
+			}
 			rrec->num_msgs--;
 			return;
 		} else if(nmb->header.rcode != 0) {
diff --git a/source/rpc_parse/parse_samr.c b/source/rpc_parse/parse_samr.c
index 9026d503c30..0bde3da26c8 100644
--- a/source/rpc_parse/parse_samr.c
+++ b/source/rpc_parse/parse_samr.c
@@ -6895,8 +6895,7 @@ void init_samr_q_set_userinfo2(SAMR_Q_SET_USERINFO2 * q_u,
 	q_u->switch_value = switch_value;
 	q_u->ctr = ctr;
 
-	if (q_u->ctr != NULL)
-		q_u->ctr->switch_value = switch_value;
+	q_u->ctr->switch_value = switch_value;
 
 	switch (switch_value) {
 	case 18:
diff --git a/source/rpc_server/srv_srvsvc_nt.c b/source/rpc_server/srv_srvsvc_nt.c
index a936ef58709..9cce7159674 100644
--- a/source/rpc_server/srv_srvsvc_nt.c
+++ b/source/rpc_server/srv_srvsvc_nt.c
@@ -653,7 +653,9 @@ static void init_srv_sess_info_0(SRV_SESS_INFO_0 *ss0, uint32 *snum, uint32 *sto
 	(*stot) = list_sessions(&session_list);
 
 	if (ss0 == NULL) {
-		(*snum) = 0;
+		if (snum) {
+			(*snum) = 0;
+		}
 		SAFE_FREE(session_list);
 		return;
 	}
diff --git a/source/torture/torture.c b/source/torture/torture.c
index 0b3bfc18f4a..a8a8e847fbb 100644
--- a/source/torture/torture.c
+++ b/source/torture/torture.c
@@ -2433,8 +2433,8 @@ static BOOL run_trans2test(int dummy)
 	fnum = cli_open(cli, fname, 
 			O_RDWR | O_CREAT | O_TRUNC, DENY_NONE);
 	cli_close(cli, fnum);
-	if (!cli_qpathinfo2(cli, fname, &c_time, &a_time, &m_time, 
-			    &w_time, &size, NULL, NULL)) {
+	if (!cli_qpathinfo2(cli, fname, &c_time, &a_time, &w_time, 
+			    &m_time, &size, NULL, NULL)) {
 		printf("ERROR: qpathinfo2 failed (%s)\n", cli_errstr(cli));
 		correct = False;
 	} else {
@@ -2455,8 +2455,8 @@ static BOOL run_trans2test(int dummy)
 		correct = False;
 	}
 	sleep(3);
-	if (!cli_qpathinfo2(cli, "\\trans2\\", &c_time, &a_time, &m_time, 
-			    &w_time, &size, NULL, NULL)) {
+	if (!cli_qpathinfo2(cli, "\\trans2\\", &c_time, &a_time, &w_time, 
+			    &m_time, &size, NULL, NULL)) {
 		printf("ERROR: qpathinfo2 failed (%s)\n", cli_errstr(cli));
 		correct = False;
 	}
@@ -2465,8 +2465,8 @@ static BOOL run_trans2test(int dummy)
 			O_RDWR | O_CREAT | O_TRUNC, DENY_NONE);
 	cli_write(cli, fnum,  0, (char *)&fnum, 0, sizeof(fnum));
 	cli_close(cli, fnum);
-	if (!cli_qpathinfo2(cli, "\\trans2\\", &c_time, &a_time, &m_time2, 
-			    &w_time, &size, NULL, NULL)) {
+	if (!cli_qpathinfo2(cli, "\\trans2\\", &c_time, &a_time, &w_time, 
+			    &m_time2, &size, NULL, NULL)) {
 		printf("ERROR: qpathinfo2 failed (%s)\n", cli_errstr(cli));
 		correct = False;
 	} else {
diff --git a/source/utils/ntlm_auth.c b/source/utils/ntlm_auth.c
index ef24f9f1611..5695460378f 100644
--- a/source/utils/ntlm_auth.c
+++ b/source/utils/ntlm_auth.c
@@ -1097,7 +1097,6 @@ static void manage_client_ntlmssp_targ(SPNEGO_DATA spnego)
 	if (client_ntlmssp_state == NULL) {
 		DEBUG(1, ("Got NTLMSSP tArg without a client state\n"));
 		x_fprintf(x_stdout, "BH\n");
-		ntlmssp_end(&client_ntlmssp_state);
 		return;
 	}
 
diff --git a/source/web/cgi.c b/source/web/cgi.c
index d289613b4ba..046dd3bee62 100644
--- a/source/web/cgi.c
+++ b/source/web/cgi.c
@@ -80,8 +80,9 @@ static char *grab_line(FILE *f, int *cl)
 
 	}
 	
-
-	ret[i] = 0;
+	if (ret) {
+		ret[i] = 0;
+	}
 	return ret;
 }