From 12a2230581b3ff5c7a29819532652d7ddfe61521 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 8 Nov 2013 16:14:35 +0100
Subject: s4-smb_server: Fix a use after free.

If we haven't allocated the smbsrv_session then we should not free it.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 source4/smb_server/smb/sesssetup.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'source4/smb_server')

diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
index b26c1281dda..4ebc0c47718 100644
--- a/source4/smb_server/smb/sesssetup.c
+++ b/source4/smb_server/smb/sesssetup.c
@@ -415,6 +415,7 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se
 {
 	NTSTATUS status;
 	struct smbsrv_session *smb_sess = NULL;
+	bool is_smb_sess_new = false;
 	struct sesssetup_spnego_state *s = NULL;
 	uint16_t vuid;
 	struct tevent_req *subreq;
@@ -465,6 +466,7 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se
 			status = NT_STATUS_INSUFFICIENT_RESOURCES;
 			goto failed;
 		}
+		is_smb_sess_new = true;
 	} else {
 		smb_sess = smbsrv_session_find_sesssetup(req->smb_conn, vuid);
 	}
@@ -510,7 +512,9 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se
 nomem:
 	status = NT_STATUS_NO_MEMORY;
 failed:
-	talloc_free(smb_sess);
+	if (is_smb_sess_new) {
+		talloc_free(smb_sess);
+	}
 	status = nt_status_squash(status);
 	smbsrv_sesssetup_backend_send(req, sess, status);
 }
-- 
cgit