From 33a8e9b5377d2d6bffeb0640d388fa4c8e2f8c65 Mon Sep 17 00:00:00 2001
From: =?utf8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 28 Mar 2008 13:40:13 +0100
Subject: [PATCH] Check for buffer in decode_wkssvc_join_password_buffer.

Guenther
(This used to be commit 2134d80c05fd7a37f44317335b40d7961c429c7b)
---
 source3/libsmb/smbencrypt.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c
index c547a4a0034..e7198b801d3 100644
--- a/source3/libsmb/smbencrypt.c
+++ b/source3/libsmb/smbencrypt.c
@@ -748,16 +748,24 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
 	struct MD5Context ctx;
 	uint32_t pwd_len;
 
-	DATA_BLOB confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
+	DATA_BLOB confounded_session_key;
 
 	int confounder_len = 8;
 	uint8_t confounder[8];
 
+	*pwd = NULL;
+
+	if (!pwd_buf) {
+		return WERR_BAD_PASSWORD;
+	}
+
 	if (session_key->length != 16) {
 		DEBUG(10,("invalid session key\n"));
 		return WERR_BAD_PASSWORD;
 	}
 
+	confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
+
 	memcpy(&confounder, &pwd_buf->data[0], confounder_len);
 	memcpy(&buffer, &pwd_buf->data[8], 516);
 
@@ -769,6 +777,7 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
 	SamOEMhashBlob(buffer, 516, &confounded_session_key);
 
 	if (!decode_pw_buffer(mem_ctx, buffer, pwd, &pwd_len, STR_UNICODE)) {
+		data_blob_free(&confounded_session_key);
 		return WERR_BAD_PASSWORD;
 	}
 
-- 
2.11.4.GIT