Bug 10442 - Crash in smb2_notify code
Crash in smb2_notify code
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2014-02-13 11:48 UTC by Stefan Metzmacher
Modified: 2014-02-16 19:27 UTC (History)
1 user (show)

See Also:

Patch for v4-1-test (4.86 KB, patch)
2014-02-14 17:18 UTC, Stefan Metzmacher
jra: review+
asn: review+
Patch for v4-0-test (4.86 KB, patch)
2014-02-14 17:18 UTC, Stefan Metzmacher
jra: review+
asn: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2014-02-13 11:48:04 UTC
change_notify_add_request() talloc moves smb_request away,
which is not expected by the smb2_notify.c code...

smbd_smb2_notify_reply() uses tevent_req_defer_callback()
(in older versions an immediate event) to defer the response.
This is needed as change_notify_reply() will do more things
after calling reply_fn() (smbd_smb2_notify_reply is this case)
and often change_notify_remove_request() is called after

change_notify_remove_request() implicitly free's the smb_request
that was passed to change_notify_add_request().

smbd_smb2_fake_smb_request() added the smb_request as smb2req->smb1req,
which is expected to be available after smbd_smb2_notify_recv() returned.
Comment 1 Stefan Metzmacher 2014-02-14 17:18:11 UTC
Created attachment 9680 [details]
Patch for v4-1-test
Comment 2 Stefan Metzmacher 2014-02-14 17:18:38 UTC
Created attachment 9681 [details]
Patch for v4-0-test
Comment 3 Andreas Schneider 2014-02-16 16:13:39 UTC
Comment on attachment 9681 [details]
Patch for v4-0-test

Karolin, please apply the patches to the relevant branches. Thanks!
Comment 4 Karolin Seeger 2014-02-16 16:20:51 UTC
Pushed to autbuild-v4-1-test and autobuild-v4-0-test after freeze date, because it sounds like an important fix.
Comment 5 Karolin Seeger 2014-02-16 19:27:46 UTC
Pushed to v4-1-test and v4-0-test.
Closing out bug report.