From 235f6847c1ec6adfe74270998ceea3a1d38de650 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Atte=20Heikkil=C3=A4?= <atteh.mailbox@gmail.com>
Date: Thu, 10 Aug 2023 02:49:14 +0300
Subject: [PATCH] ksmbd-tools: fix NULL deref in samr_open_user_return()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Accessing ch->user->uid can result in NULL deref since ch->user can be
NULL. This was the case in samr_query_security_return() also before
commit 244725b. Fix the NULL deref in samr_open_user_return().

Signed-off-by: Atte Heikkilä <atteh.mailbox@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
 mountd/rpc_samr.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mountd/rpc_samr.c b/mountd/rpc_samr.c
index e169810b117f..bac4ce051a67 100644
--- a/mountd/rpc_samr.c
+++ b/mountd/rpc_samr.c
@@ -390,6 +390,9 @@ static int samr_open_user_return(struct ksmbd_rpc_pipe *pipe)
 		return KSMBD_RPC_EBAD_FID;
 	ch->refcount++;
 
+	if (!ch->user)
+		return KSMBD_RPC_EBAD_FID;
+
 	if (dce->sm_req.rid != ch->user->uid)
 		return KSMBD_RPC_EBAD_FID;
 
-- 
2.34.1