From 7dd5f061831feb369ddacdd0637fa2c839a1ad05 Mon Sep 17 00:00:00 2001 From: Noel Power Date: Thu, 27 Feb 2014 12:07:11 -0800 Subject: [PATCH] s3: smbd - smb1 - fix read of deleted memory in reply_writeclose(). While running smbtorture test raw.write under valgrind an "Invalid read" was reported in methid reply_writeclose, it seems after closing a file sometime later we try to access it again. Signed-off-by: Noel Power Signed-off-by: Jeremy Allison --- source3/smbd/reply.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 6b56239..af4a5f3 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -5198,6 +5198,10 @@ void reply_writeclose(struct smb_request *req) nwritten = write_file(req,fsp,data,startpos,numtowrite); + if (!fsp->print_file) { + SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock); + } + set_close_write_time(fsp, mtime); /* @@ -5205,34 +5209,32 @@ void reply_writeclose(struct smb_request *req) * JRA. */ + DEBUG(3,("writeclose %s num=%d wrote=%d (numopen=%d)\n", + fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten, + (numtowrite) ? conn->num_files_open - 1 : conn->num_files_open)); + if (numtowrite) { DEBUG(3,("reply_writeclose: zero length write doesn't close " "file %s\n", fsp_str_dbg(fsp))); close_status = close_file(req, fsp, NORMAL_CLOSE); + fsp = NULL; } - DEBUG(3,("writeclose %s num=%d wrote=%d (numopen=%d)\n", - fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten, - conn->num_files_open)); - if(((nwritten == 0) && (numtowrite != 0))||(nwritten < 0)) { reply_nterror(req, NT_STATUS_DISK_FULL); - goto strict_unlock; + goto out; } if(!NT_STATUS_IS_OK(close_status)) { reply_nterror(req, close_status); - goto strict_unlock; + goto out; } reply_outbuf(req, 1, 0); SSVAL(req->outbuf,smb_vwv0,nwritten); -strict_unlock: - if (numtowrite && !fsp->print_file) { - SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock); - } +out: END_PROFILE(SMBwriteclose); return; -- 1.9.0.279.gdc9e3eb