The Samba-Bugzilla – Attachment 13333 Details for
Bug 12832
Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v4-6-test
tmp46.diff.txt (text/plain), 3.32 KB, created by
Stefan Metzmacher
on 2017-06-29 13:59:47 UTC
(
hide
)
Description:
Patch for v4-6-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2017-06-29 13:59:47 UTC
Size:
3.32 KB
patch
obsolete
>From 756f6c638bdb8f5cb719cdf05eb7c2e41b4d51ae Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 9 Jun 2017 12:30:33 +0200 >Subject: [PATCH] s3:smb2_create: avoid reusing the 'tevent_req' within > smbd_smb2_create_send() > >As the caller ("smbd_smb2_request_process_create()") already sets the callback, >the first time, it's not safe to reuse the tevent_req structure. > >The typical 'tevent_req_nterror(); return tevent_req_post()' will >crash as the tevent_req_nterror() already triggered the former callback, >which calls smbd_smb2_create_recv(), were tevent_req_received() invalidates >the tevent_req structure, so that tevent_req_post() will crash. > >We just remember the required values from the old state >and move them to the new state. > >We tried to write reproducers for this, but sadly weren't able to trigger >the backtrace we had from a create a customer (using recent code) >with commit 6beba782f1bf951236813e0b46115b8102212c03 >included. And this patch fixed the situation for the >customer. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12832 > >Pair-Programmed-With: Volker Lendecke <vl@samba.org> > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 02146ea5ee729de0e49ecf617e6983f4e61fbe59) >--- > source3/smbd/smb2_create.c | 43 +++++++++++++++++++++++-------------------- > 1 file changed, 23 insertions(+), 20 deletions(-) > >diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c >index 8211991..0158924 100644 >--- a/source3/smbd/smb2_create.c >+++ b/source3/smbd/smb2_create.c >@@ -483,35 +483,38 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx, > requested_oplock_level = in_oplock_level; > } > >- >- if (smb2req->subreq == NULL) { >- /* New create call. */ >- req = tevent_req_create(mem_ctx, &state, >+ req = tevent_req_create(mem_ctx, &state, > struct smbd_smb2_create_state); >- if (req == NULL) { >- return NULL; >- } >- state->smb2req = smb2req; >+ if (req == NULL) { >+ return NULL; >+ } >+ state->smb2req = smb2req; > >- smb1req = smbd_smb2_fake_smb_request(smb2req); >- if (tevent_req_nomem(smb1req, req)) { >- return tevent_req_post(req, ev); >- } >- state->smb1req = smb1req; >- smb2req->subreq = req; >+ smb1req = smbd_smb2_fake_smb_request(smb2req); >+ if (tevent_req_nomem(smb1req, req)) { >+ return tevent_req_post(req, ev); >+ } >+ state->smb1req = smb1req; >+ >+ if (smb2req->subreq == NULL) { > DEBUG(10,("smbd_smb2_create: name[%s]\n", > in_name)); > } else { >- /* Re-entrant create call. */ >- req = smb2req->subreq; >- state = tevent_req_data(req, >- struct smbd_smb2_create_state); >- smb1req = state->smb1req; >- TALLOC_FREE(state->out_context_blobs); >+ struct smbd_smb2_create_state *old_state = tevent_req_data( >+ smb2req->subreq, struct smbd_smb2_create_state); >+ > DEBUG(10,("smbd_smb2_create_send: reentrant for file %s\n", > in_name )); >+ >+ state->id = old_state->id; >+ state->request_time = old_state->request_time; >+ state->open_rec = talloc_move(state, &old_state->open_rec); >+ state->open_was_deferred = old_state->open_was_deferred; > } > >+ TALLOC_FREE(smb2req->subreq); >+ smb2req->subreq = req; >+ > state->out_context_blobs = talloc_zero(state, struct smb2_create_blobs); > if (tevent_req_nomem(state->out_context_blobs, req)) { > return tevent_req_post(req, ev); >-- >1.9.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 12832
:
13266
|
13267
| 13333 |
13334