From 343dd33712c9bae8f57affa56c8ea202c67fea57 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Jul 2021 17:17:30 +0200
Subject: [PATCH] smbXsrv_{open,session,tcon}: protect
 smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records

I saw systems with locking.tdb records being part of:
  ctdb catdb smbXsrv_tcon_global.tdb

It's yet unknown how that happened, but we should not panic in srvsvc_*
calls because the info0 pointer was NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul  6 11:08:43 UTC 2021 on sn-devel-184

(cherry picked from commit 00bab5b3c821f272153a25ded9743460887a7907)
---
 source3/smbd/smbXsrv_open.c    | 9 +++++++++
 source3/smbd/smbXsrv_session.c | 7 +++++++
 source3/smbd/smbXsrv_tcon.c    | 7 +++++++
 3 files changed, 23 insertions(+)

diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
index 5180315449da..871820ac8764 100644
--- a/source3/smbd/smbXsrv_open.c
+++ b/source3/smbd/smbXsrv_open.c
@@ -1468,6 +1468,15 @@ static NTSTATUS smbXsrv_open_global_parse_record(TALLOC_CTX *mem_ctx,
 		goto done;
 	}
 
+	if (global_blob.info.info0 == NULL) {
+		status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+		DEBUG(1,("Invalid record in smbXsrv_tcon_global.tdb:"
+			 "key '%s' info0 NULL pointer - %s\n",
+			 hex_encode_talloc(frame, key.dptr, key.dsize),
+			 nt_errstr(status)));
+		goto done;
+	}
+
 	*global = talloc_move(mem_ctx, &global_blob.info.info0);
 	status = NT_STATUS_OK;
 done:
diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c
index c55a57885a57..0e5b16e958c3 100644
--- a/source3/smbd/smbXsrv_session.c
+++ b/source3/smbd/smbXsrv_session.c
@@ -2234,6 +2234,13 @@ static int smbXsrv_session_global_traverse_fn(struct db_record *rec, void *data)
 		goto done;
 	}
 
+	if (global_blob.info.info0 == NULL) {
+		DEBUG(1,("Invalid record in smbXsrv_tcon_global.tdb:"
+			 "key '%s' info0 NULL pointer\n",
+			 hex_encode_talloc(frame, key.dptr, key.dsize)));
+		goto done;
+	}
+
 	global_blob.info.info0->db_rec = rec;
 	ret = state->fn(global_blob.info.info0, state->private_data);
 done:
diff --git a/source3/smbd/smbXsrv_tcon.c b/source3/smbd/smbXsrv_tcon.c
index d6c2bca0abca..8a0c427597cc 100644
--- a/source3/smbd/smbXsrv_tcon.c
+++ b/source3/smbd/smbXsrv_tcon.c
@@ -1208,6 +1208,13 @@ static int smbXsrv_tcon_global_traverse_fn(struct db_record *rec, void *data)
 		goto done;
 	}
 
+	if (global_blob.info.info0 == NULL) {
+		DEBUG(1,("Invalid record in smbXsrv_tcon_global.tdb:"
+			 "key '%s' info0 NULL pointer\n",
+			 hex_encode_talloc(frame, key.dptr, key.dsize)));
+		goto done;
+	}
+
 	global_blob.info.info0->db_rec = rec;
 	ret = state->fn(global_blob.info.info0, state->private_data);
 done:
-- 
2.25.1