From 95b351dfaa2065ff2d15954c3d24ea56558d0e7d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 30 Mar 2012 11:58:31 -0700
Subject: [PATCH] Complete fix for bug #8811 - sd_has_inheritable_components
 segfaults on an SD that se_access_check accepts.

---
 source3/lib/secdesc.c            |    4 ++++
 source3/modules/vfs_acl_common.c |   25 ++++++++++++++++++++-----
 source3/smbd/file_access.c       |    5 ++++-
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
index 001eccb..007e097 100644
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@@ -534,6 +534,10 @@ bool sd_has_inheritable_components(const struct security_descriptor *parent_ctr,
 	unsigned int i;
 	const struct security_acl *the_acl = parent_ctr->dacl;
 
+	if (the_acl == NULL) {
+		return false;
+	}
+
 	for (i = 0; i < the_acl->num_aces; i++) {
 		const struct security_ace *ace = &the_acl->aces[i];
 
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 016bb9f..fe4c822 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -166,7 +166,7 @@ static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
  CREATOR_OWNER/CREATOR_GROUP/WORLD.
 *******************************************************************/
 
-static void add_directory_inheritable_components(vfs_handle_struct *handle,
+static NTSTATUS add_directory_inheritable_components(vfs_handle_struct *handle,
                                 const char *name,
 				SMB_STRUCT_STAT *psbuf,
 				struct security_descriptor *psd)
@@ -184,7 +184,7 @@ static void add_directory_inheritable_components(vfs_handle_struct *handle,
 						num_aces + 3);
 
 	if (new_ace_list == NULL) {
-		return;
+		return NT_STATUS_NO_MEMORY;
 	}
 
 	/* Fake a quick smb_filename. */
@@ -236,8 +236,19 @@ static void add_directory_inheritable_components(vfs_handle_struct *handle,
 			SEC_ACE_FLAG_CONTAINER_INHERIT|
 				SEC_ACE_FLAG_OBJECT_INHERIT|
 				SEC_ACE_FLAG_INHERIT_ONLY);
-	psd->dacl->aces = new_ace_list;
-	psd->dacl->num_aces += 3;
+	if (psd->dacl) {
+		psd->dacl->aces = new_ace_list;
+		psd->dacl->num_aces += 3;
+	} else {
+		psd->dacl = make_sec_acl(talloc_tos(),
+				NT4_ACL_REVISION,
+				3,
+				new_ace_list);
+		if (psd->dacl == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+	return NT_STATUS_OK;
 }
 
 /*******************************************************************
@@ -393,10 +404,14 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
 			if (is_directory &&
 				!sd_has_inheritable_components(psd,
 							true)) {
-				add_directory_inheritable_components(handle,
+				status = add_directory_inheritable_components(
+							handle,
 							name,
 							psbuf,
 							psd);
+				if (!NT_STATUS_IS_OK(status)) {
+					return status;
+				}
 			}
 			/* The underlying POSIX module always sets
 			   the ~SEC_DESC_DACL_PROTECTED bit, as ACLs
diff --git a/source3/smbd/file_access.c b/source3/smbd/file_access.c
index 9f95d68..bd65a70 100644
--- a/source3/smbd/file_access.c
+++ b/source3/smbd/file_access.c
@@ -261,7 +261,10 @@ bool directory_has_default_acl(connection_struct *conn, const char *fname)
 	NTSTATUS status = SMB_VFS_GET_NT_ACL(conn, fname,
 				SECINFO_DACL, &secdesc);
 
-	if (!NT_STATUS_IS_OK(status) || secdesc == NULL) {
+	if (!NT_STATUS_IS_OK(status) ||
+			secdesc == NULL ||
+			secdesc->dacl == NULL) {
+		TALLOC_FREE(secdesc);
 		return false;
 	}
 
-- 
1.7.7.3