summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVolker Lendecke <vl@samba.org>2012-08-07 22:25:53 +0200
committerJeremy Allison <jra@samba.org>2012-08-08 04:12:04 +0200
commit64c0367335fab0137e65f8cfa35af77ff854f654 (patch)
treea7a2d06943761f2b541d94ef73145205d09c0f7c
parentc2dee12d678234126648d150f6f03165a2b7c95b (diff)
downloadsamba-64c0367335fab0137e65f8cfa35af77ff854f654.tar.gz
samba-64c0367335fab0137e65f8cfa35af77ff854f654.tar.bz2
samba-64c0367335fab0137e65f8cfa35af77ff854f654.zip
s3: Fix a crash in reply_lockingX_error
A timed brlock with 2 locks comes in and the second one blocks, file is closed. smbd_cancel_pending_lock_requests_by_fid sets blr->fsp to NULL. reply_lockingX_error (called via MSG_SMB_BLOCKING_LOCK_CANCEL) deferences blr->fsp because blr->lock_num==1 (the second one blocked). This patch fixes the bug by only undoing the locks if fsp!=NULL. fsp==NULL is the close case where everything is undone anyway. Thanks to Peter Somogyi, somogyi@hu.ibm.com for this bug report. Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Aug 8 04:12:04 CEST 2012 on sn-devel-104
-rw-r--r--source3/smbd/blocking.c15
1 files changed, 11 insertions, 4 deletions
diff --git a/source3/smbd/blocking.c b/source3/smbd/blocking.c
index 3a45a275aa..95d6c330a0 100644
--- a/source3/smbd/blocking.c
+++ b/source3/smbd/blocking.c
@@ -336,7 +336,7 @@ static void generic_blocking_lock_error(struct blocking_lock_record *blr, NTSTAT
obtained first.
*****************************************************************************/
-static void reply_lockingX_error(struct blocking_lock_record *blr, NTSTATUS status)
+static void undo_locks_obtained(struct blocking_lock_record *blr)
{
files_struct *fsp = blr->fsp;
uint16 num_ulocks = SVAL(blr->req->vwv+6, 0);
@@ -380,8 +380,6 @@ static void reply_lockingX_error(struct blocking_lock_record *blr, NTSTATUS stat
offset,
WINDOWS_LOCK);
}
-
- generic_blocking_lock_error(blr, status);
}
/****************************************************************************
@@ -394,7 +392,16 @@ static void blocking_lock_reply_error(struct blocking_lock_record *blr, NTSTATUS
switch(blr->req->cmd) {
case SMBlockingX:
- reply_lockingX_error(blr, status);
+ /*
+ * This code can be called during the rundown of a
+ * file after it was already closed. In that case,
+ * blr->fsp==NULL and we do not need to undo any
+ * locks, they are already gone.
+ */
+ if (blr->fsp != NULL) {
+ undo_locks_obtained(blr);
+ }
+ generic_blocking_lock_error(blr, status);
break;
case SMBtrans2:
case SMBtranss2: