[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Fri Oct 30 18:50:02 UTC 2015 

The branch, master has been updated
       via  db9e10d s3-smbd: Fix use after issue in smbd_smb2_request_dispatch()
      from  d8f3b49 ctdb-banning: Do not set recovery mode to ACTIVE in daemon

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit db9e10d071793b91b3f3d40225a8634e3c34f65e
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Oct 30 09:01:28 2015 +0100

    s3-smbd: Fix use after issue in smbd_smb2_request_dispatch()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11581
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Fri Oct 30 19:49:47 CET 2015 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/smb2_server.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index a31a6e2..2692fb8 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1705,13 +1705,6 @@ static NTSTATUS smbd_smb2_request_process_cancel(struct smbd_smb2_request *req)
 	search_message_id = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
 	search_async_id = BVAL(inhdr, SMB2_HDR_PID);
 
-	/*
-	 * we don't need the request anymore
-	 * cancel requests never have a response
-	 */
-	DLIST_REMOVE(xconn->smb2.requests, req);
-	TALLOC_FREE(req);
-
 	for (cur = xconn->smb2.requests; cur; cur = cur->next) {
 		const uint8_t *outhdr;
 		uint64_t message_id;
@@ -2368,6 +2361,14 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 					       req->profile, _INBYTES(req));
 		return_value = smbd_smb2_request_process_cancel(req);
 		SMBPROFILE_IOBYTES_ASYNC_END(req->profile, 0);
+
+		/*
+		 * We don't need the request anymore cancel requests never
+		 * have a response.
+		 */
+		DLIST_REMOVE(xconn->smb2.requests, req);
+		TALLOC_FREE(req);
+
 		break;
 
 	case SMB2_OP_KEEPALIVE:


-- 
Samba Shared Repository

More information about the samba-cvs mailing list