[SCM] Samba Shared Repository - branch v3-6-test updated

Karolin Seeger kseeger at samba.org
Sun Aug 12 23:26:19 MDT 2012 

The branch, v3-6-test has been updated
       via  d80fbbe s3: Fix a crash in reply_lockingX_error
      from  3ce8703 Fix bug 9065: source3/registry/regfio.c: bad call to memcpy

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -----------------------------------------------------------------
commit d80fbbea8ec77c0bda0e3fb9eaed2f170784ea7d
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Aug 7 16:49:52 2012 -0700

    s3: Fix a crash in reply_lockingX_error
    
    A timed brlock with 2 locks comes in and the second one blocks,
    file is closed. smbd_cancel_pending_lock_requests_by_fid sets
    blr->fsp to NULL. reply_lockingX_error (called via
    MSG_SMB_BLOCKING_LOCK_CANCEL) deferences blr->fsp because
    blr->lock_num==1 (the second one blocked).
    
    This patch fixes the bug by only undoing the locks if fsp!=NULL.
    fsp==NULL is the close case where everything is undone anyway.
    
    Thanks to Peter Somogyi, somogyi at hu.ibm.com for this bug report.
    
    Fix bug #9084 - Blocking lock followed by close can crash smbd.

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/blocking.c |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/blocking.c b/source3/smbd/blocking.c
index c208234..07fdfa0 100644
--- a/source3/smbd/blocking.c
+++ b/source3/smbd/blocking.c
@@ -326,7 +326,7 @@ static void generic_blocking_lock_error(struct blocking_lock_record *blr, NTSTAT
  obtained first.
 *****************************************************************************/
 
-static void reply_lockingX_error(struct blocking_lock_record *blr, NTSTATUS status)
+static void undo_locks_obtained(struct blocking_lock_record *blr)
 {
 	files_struct *fsp = blr->fsp;
 	uint16 num_ulocks = SVAL(blr->req->vwv+6, 0);
@@ -370,8 +370,6 @@ static void reply_lockingX_error(struct blocking_lock_record *blr, NTSTATUS stat
 			offset,
 			WINDOWS_LOCK);
 	}
-
-	generic_blocking_lock_error(blr, status);
 }
 
 /****************************************************************************
@@ -384,8 +382,17 @@ static void blocking_lock_reply_error(struct blocking_lock_record *blr, NTSTATUS
 
 	switch(blr->req->cmd) {
 	case SMBlockingX:
-		reply_lockingX_error(blr, status);
-		break;
+		/*
+		 * This code can be called during the rundown of a
+		 * file after it was already closed. In that case,
+		 * blr->fsp==NULL and we do not need to undo any
+		 * locks, they are already gone.
+		 */
+		if (blr->fsp != NULL) {
+			undo_locks_obtained(blr);
+		}
+		generic_blocking_lock_error(blr, status);
+                break;
 	case SMBtrans2:
 	case SMBtranss2:
 		reply_nterror(blr->req, status);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list