From 6ec81cbf62701f709b10d42fcdd90e54c53b3ccb Mon Sep 17 00:00:00 2001
From: wesommer <wesommer>
Date: Sat, 12 Sep 1987 20:42:11 +0000
Subject: [PATCH] Clean up after Gretzinger: cl->kname is not valid unless
 cl->clname is non-NULL.

---
 server/qrtn.qc | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/server/qrtn.qc b/server/qrtn.qc
index 505ae176..10e31d36 100644
--- a/server/qrtn.qc
+++ b/server/qrtn.qc
@@ -6,10 +6,18 @@
  *	Copyright (C) 1987 by the Massachusetts Institute of Technology
  *
  *	$Log$
- *	Revision 1.11  1987-09-01 16:10:01  wesommer
- *	This change was made by Mike, who didn't feel like checking it in.
- *	Temp hack: ignore instances.
+ *	Revision 1.12  1987-09-12 20:42:11  wesommer
+ *	Clean up after Gretzinger: cl->kname is not valid unless cl->clname is
+ *	non-NULL.
  *
+ * Revision 1.12  87/09/12  20:06:46  wesommer
+ * Fix security hole/null dereference bug: if clname is NULL, return
+ * permission denied in get_client.
+ * 
+ * Revision 1.11  87/09/01  16:10:01  wesommer
+ * This change was made by Mike, who didn't feel like checking it in.
+ * Temp hack: ignore instances.
+ * 
  * Revision 1.10  87/08/28  14:57:51  mike
  * Modified sms_query to not enclose RETRIEVE queries in begin/end transaction.
  * This was necessary to allow get_all_poboxes and get_groups_of_all_users
@@ -488,6 +496,9 @@ get_client(cl, client_type, client_id)
 ##  char *name;
 ##  int rowcount;
 
+    if (cl->clname == NULL)
+	return SMS_PERM;
+    
     /* for now ignore instances */
     krb = &cl->kname;
 
-- 
2.45.2