From 801fc31d363c1ab9f016bbe2dc8e0bbebbabcbd3 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 16 Apr 2009 16:19:10 -0700
Subject: [PATCH] Fix bug found by Tim Prouty, logging off and then re-using a
 vuid can cause smbd to access a freed structure. Jeremy. (cherry picked from
 commit e023058f5b774ddbb61e8187aa7dbd2e6e25804d)

---
 source3/smbd/uid.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index f8c55b1b8f8..b8ed321a458 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -164,6 +164,10 @@ void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
 
 		if (ent->vuid == vuid) {
 			ent->vuid = UID_FIELD_INVALID;
+			/* Ensure we're not freeing an active pointer. */
+			if (conn->server_info == ent->server_info) {
+				conn->server_info = NULL;
+			}
 			TALLOC_FREE(ent->server_info);
 			ent->read_only = False;
 			ent->admin_user = False;
@@ -216,6 +220,13 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
 
 	server_info = vuser ? vuser->server_info : conn->server_info;
 
+	if (!server_info) {
+		/* Invalid vuid sent - even with security = share. */
+		DEBUG(2,("change_to_user: Invalid vuid %d used on "
+			 "share %s.\n",vuid, lp_servicename(snum) ));
+		return false;
+	}
+
 	if (!check_user_ok(conn, vuid, server_info, snum)) {
 		DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
 			 "not permitted access to share %s.\n",
-- 
2.11.4.GIT