From 999533c0ccced59141d8baff5bc248d63e2a966f Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 13 Jun 2008 15:30:08 +0200
Subject: [PATCH] Fix a crash in _winreg_QueryValue

Coverity ID 474, value_length and type are both unique, not ref pointers and
can thus be NULL.

Karolin, please merge this to -stable.

Thanks,

Volker
---
 source/rpc_server/srv_winreg_nt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source/rpc_server/srv_winreg_nt.c b/source/rpc_server/srv_winreg_nt.c
index 7b748711048..84bcf0bf892 100644
--- a/source/rpc_server/srv_winreg_nt.c
+++ b/source/rpc_server/srv_winreg_nt.c
@@ -230,6 +230,10 @@ WERROR _winreg_QueryValue(pipes_struct *p, struct winreg_QueryValue *r)
 	if ( !regkey )
 		return WERR_BADFID;
 
+	if ((r->out.value_length == NULL) || (r->out.type == NULL)) {
+		return WERR_INVALID_PARAM;
+	}
+
 	*r->out.value_length = *r->out.type = REG_NONE;
 	
 	DEBUG(7,("_reg_info: policy key name = [%s]\n", regkey->key->name));
-- 
2.11.4.GIT