From 1055b3c229f9ab8b4d43a73346090bb72b88d607 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 26 Apr 2010 12:29:03 -0700
Subject: When walking the SMB2 requests queue, ensure the request is still "in
 flight" before examining the details.

SMB2 requests stay on the queue until their out.vector has been
send, only then are they talloc_free'd.

Thanks for Ira Cooper <ira@wakeful.net> for giving me the
backtrace showing this.

Jeremy.
---
 source3/smbd/smb2_create.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'source3/smbd')

diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 3302730fbe..377db32148 100644
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -877,7 +877,16 @@ static struct smbd_smb2_request *find_open_smb2req(uint64_t mid)
 	struct smbd_smb2_request *smb2req;
 
 	for (smb2req = sconn->smb2.requests; smb2req; smb2req = smb2req->next) {
-		uint64_t message_id = get_mid_from_smb2req(smb2req);
+		uint64_t message_id;
+		if (smb2req->subreq == NULL) {
+			/* This message has been processed. */
+			continue;
+		}
+		if (!tevent_req_is_in_progress(smb2req->subreq)) {
+			/* This message has been processed. */
+			continue;
+		}
+		message_id = get_mid_from_smb2req(smb2req);
 		if (message_id == mid) {
 			return smb2req;
 		}
-- 
cgit