[PATCH] Patchset for bug #10344 - SessionLogoff on a signed connection with an outstanding notify request crashes smbd.

Stefan (metze) Metzmacher metze at samba.org
Tue Feb 25 23:01:23 MST 2014

Hi Jeremy

> Finally I've added two tests
> that excersise these functions
> with pending requests outstanding
> in the smb2.notify smbtorture
> test.
> I'm pretty happy with this patchset,
> as it fixes a longstanding issue.

I think we need to solve this a bit more generic,
a close on a file handle will also trigger this
and smbd_server_connection_terminate()

I think we need something like this in

1) After the ->table == NULL check, we first just set open->status =
   tcon->status = NT_STATUS_NETWORK_NAME_DELETED or session->status =
   This makes sure they can't be used for new requests.

2a) Check if there're pending (for now only smb2) requests using the
specified smbXsrv_open/tcon/session,
    if so we call tevent_req_cancel() for them, if not goto step 3.
    (later we may need similar checks for smb1 requests).

2b) (optinal) we add a struct db_context *closed_db; to
    and add the specified open, tcon or session to it with its
->local_id, similar as it's added
    to smbXsrv_{open,tcon,session}_table->local->db_ctx.

2c) call smbXsrv_{open,tcon,session}_global_store, so that tool like
smbstatus show the correct state.

2d) return

3) continue to remove the open/tcon/session as before...
   remember to undo 2b)

Then we add smbXsrv_open_remove_unused(struct smbXsrv_open_table *table),
smbXsrv_tcon_remove_unused(struct smbXsrv_tcon_table *table) and
smbXsrv_session_remove_unused(struct smbXsrv_session_table *table).

This traverse smbXsrv_{open,tcon,session}_table->local->db_ctx or
if 2b) is implemented smbXsrv_{open,tcon,session}_table->local->closed_db
and call smbXsrv_open_close/smbXsrv_tcon_disconnect/smbXsrv_session_logoff

smbd_smb2_request_dispatch() and smbd_smb2_io_handler() will call
smbXsrv_tcon_remove_unused() and smbXsrv_session_remove_unused() as
first action.

This way we can directly response to SMB2 logoff, tdis and logoff.

In smbd_server_connection_terminate() we need think about how to
remove pending requests so that we really remove all opens, tcons and
in the first run.

As a shortcut we can just remove the pending requests from the list,
as smbd_server_connection_terminate() calls exit_server*()

But in the long run when we start to implement multichannel support,
we may just talloc_free all requests, but we need to
be careful regarding the pthreadpool usage, we need to add a way to
destroy the state of pending requests, without triggering a segfault
when the blocking syscall returns, we need to gracefully terminate the


More information about the samba-technical mailing list