From c2cb25a04fa6db0e42e22949f8dcfcbc0ea1d450 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 18 Jun 2015 10:21:07 -0700
Subject: [PATCH] s3: smbd: Codenomicon crash in do_smb_load_module().

Inside api_pipe_bind_req() we look for a pipe module name using

dcerpc_default_transport_endpoint(pkt,
                                NCACN_NP, table)

which returns NULL when given invalid pkt data from the Codenomicon fuzzer.

This gets passed directly to smb_probe_module(), which then calls
do_smb_load_module() which tries to deref the (NULL) module name.

https://bugzilla.samba.org/show_bug.cgi?id=11342

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 18 22:14:01 CEST 2015 on sn-devel-104

(cherry picked from commit 5a82cc21379e3fe28441cd82647313c9390b41e7)
---
 lib/util/modules.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/util/modules.c b/lib/util/modules.c
index 828f33a..1f00dd8 100644
--- a/lib/util/modules.c
+++ b/lib/util/modules.c
@@ -161,6 +161,11 @@ static NTSTATUS do_smb_load_module(const char *subsystem,
 	char *full_path = NULL;
 	TALLOC_CTX *ctx = talloc_stackframe();
 
+	if (module_name == NULL) {
+		TALLOC_FREE(ctx);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	/* Check for absolute path */
 
 	DEBUG(5, ("%s module '%s'\n", is_probe ? "Probing" : "Loading", module_name));
-- 
2.4.3.573.g4eafbef