From f801dc373b3e21c048daba83788d27d7bad73ce0 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Mon, 3 Sep 2018 15:54:48 +0200
Subject: [PATCH] smbd: Fix a memleak in async search ask sharemode

fetch_share_mode_unlocked_parser() takes a "struct
fetch_share_mode_unlocked_state *" as
"private_data". fetch_share_mode_send() used a talloc_zero'ed "struct
share_mode_lock". This lead to the parser putting a "struct
share_mode_lock on the NULL talloc_context where nobody really picked it
up.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13602
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0bd109b733fbce774feae2142d25f7e828b56bcb)
---
 source3/locking/share_mode_lock.c | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c
index cee00458079b..ec17bca98a66 100644
--- a/source3/locking/share_mode_lock.c
+++ b/source3/locking/share_mode_lock.c
@@ -673,7 +673,7 @@ static void fetch_share_mode_done(struct tevent_req *subreq);
 struct fetch_share_mode_state {
 	struct file_id id;
 	TDB_DATA key;
-	struct share_mode_lock *lck;
+	struct fetch_share_mode_unlocked_state parser_state;
 	enum dbwrap_req_state req_state;
 };
 
@@ -721,17 +721,14 @@ struct tevent_req *fetch_share_mode_send(TALLOC_CTX *mem_ctx,
 
 	state->id = id;
 	state->key = locking_key(&state->id);
-	state->lck = talloc_zero(state, struct share_mode_lock);
-	if (tevent_req_nomem(state->lck, req)) {
-		return tevent_req_post(req, ev);
-	}
+	state->parser_state.mem_ctx = state;
 
 	subreq = dbwrap_parse_record_send(state,
 					  ev,
 					  lock_db,
 					  state->key,
 					  fetch_share_mode_unlocked_parser,
-					  state->lck,
+					  &state->parser_state,
 					  &state->req_state);
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);
@@ -775,12 +772,12 @@ NTSTATUS fetch_share_mode_recv(struct tevent_req *req,
 		return status;
 	}
 
-	if (state->lck->data == NULL) {
+	if (state->parser_state.lck->data == NULL) {
 		tevent_req_received(req);
 		return NT_STATUS_NOT_FOUND;
 	}
 
-	lck = talloc_move(mem_ctx, &state->lck);
+	lck = talloc_move(mem_ctx, &state->parser_state.lck);
 
 	if (DEBUGLEVEL >= 10) {
 		DBG_DEBUG("share_mode_data:\n");
-- 
2.17.1