[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Mon Mar 3 12:43:04 MST 2014 

The branch, master has been updated
       via  04e4346 s3: smbd - smb1 - fix read of deleted memory in reply_writeclose().
      from  bbd0bda smbd: Fix an uninitialized memory read

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 04e434661fa6b5f13776f925b0a7cbadb6b6d006
Author: Noel Power <nopower at suse.com>
Date:   Thu Feb 27 12:07:11 2014 -0800

    s3: smbd - smb1 - fix read of deleted memory in reply_writeclose().
    
    While running smbtorture test raw.write under valgrind an "Invalid read"
    was reported in methid reply_writeclose, it seems after closing a file
    sometime later we try to access it again.
    
    Signed-off-by: Noel Power <noel.power at suse.com>
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Mon Mar  3 20:42:40 CET 2014 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/reply.c |   24 +++++++++++++-----------
 1 files changed, 13 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 6b56239..3f3bbe1 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -5184,7 +5184,7 @@ void reply_writeclose(struct smb_request *req)
 	mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
 	data = (const char *)req->buf + 1;
 
-	if (!fsp->print_file) {
+	if (fsp->print_file == NULL) {
 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
 		    &lock);
@@ -5198,6 +5198,10 @@ void reply_writeclose(struct smb_request *req)
 
 	nwritten = write_file(req,fsp,data,startpos,numtowrite);
 
+	if (fsp->print_file == NULL) {
+		SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
+	}
+
 	set_close_write_time(fsp, mtime);
 
 	/*
@@ -5205,34 +5209,32 @@ void reply_writeclose(struct smb_request *req)
 	 * JRA.
 	 */
 
+	DEBUG(3,("writeclose %s num=%d wrote=%d (numopen=%d)\n",
+		fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten,
+		(numtowrite) ? conn->num_files_open - 1 : conn->num_files_open));
+
 	if (numtowrite) {
 		DEBUG(3,("reply_writeclose: zero length write doesn't close "
 			 "file %s\n", fsp_str_dbg(fsp)));
 		close_status = close_file(req, fsp, NORMAL_CLOSE);
+		fsp = NULL;
 	}
 
-	DEBUG(3,("writeclose %s num=%d wrote=%d (numopen=%d)\n",
-		 fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten,
-		 conn->num_files_open));
-
 	if(((nwritten == 0) && (numtowrite != 0))||(nwritten < 0)) {
 		reply_nterror(req, NT_STATUS_DISK_FULL);
-		goto strict_unlock;
+		goto out;
 	}
 
 	if(!NT_STATUS_IS_OK(close_status)) {
 		reply_nterror(req, close_status);
-		goto strict_unlock;
+		goto out;
 	}
 
 	reply_outbuf(req, 1, 0);
 
 	SSVAL(req->outbuf,smb_vwv0,nwritten);
 
-strict_unlock:
-	if (numtowrite && !fsp->print_file) {
-		SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
-	}
+out:
 
 	END_PROFILE(SMBwriteclose);
 	return;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list