[PATCH] Patchset for bug #10344 - SessionLogoff on a signed connection with an outstanding notify request crashes smbd.
Stefan (metze) Metzmacher
metze at samba.org
Tue Feb 25 23:01:23 MST 2014
Hi Jeremy
> Finally I've added two tests
> that excersise these functions
> with pending requests outstanding
> in the smb2.notify smbtorture
> test.
>
> I'm pretty happy with this patchset,
> as it fixes a longstanding issue.
I think we need to solve this a bit more generic,
a close on a file handle will also trigger this
and smbd_server_connection_terminate()
I think we need something like this in
smbXsrv_open_close/smbXsrv_tcon_disconnect/smbXsrv_session_logoff:
1) After the ->table == NULL check, we first just set open->status =
NT_STATUS_FILE_CLOSED,
tcon->status = NT_STATUS_NETWORK_NAME_DELETED or session->status =
NT_STATUS_USER_SESSION_DELETED.
This makes sure they can't be used for new requests.
2a) Check if there're pending (for now only smb2) requests using the
specified smbXsrv_open/tcon/session,
if so we call tevent_req_cancel() for them, if not goto step 3.
(later we may need similar checks for smb1 requests).
2b) (optinal) we add a struct db_context *closed_db; to
smbXsrv_{open,tcon,session}_table->local
and add the specified open, tcon or session to it with its
->local_id, similar as it's added
to smbXsrv_{open,tcon,session}_table->local->db_ctx.
2c) call smbXsrv_{open,tcon,session}_global_store, so that tool like
smbstatus show the correct state.
2d) return
3) continue to remove the open/tcon/session as before...
remember to undo 2b)
Then we add smbXsrv_open_remove_unused(struct smbXsrv_open_table *table),
smbXsrv_tcon_remove_unused(struct smbXsrv_tcon_table *table) and
smbXsrv_session_remove_unused(struct smbXsrv_session_table *table).
This traverse smbXsrv_{open,tcon,session}_table->local->db_ctx or
if 2b) is implemented smbXsrv_{open,tcon,session}_table->local->closed_db
and call smbXsrv_open_close/smbXsrv_tcon_disconnect/smbXsrv_session_logoff
again.
smbd_smb2_request_dispatch() and smbd_smb2_io_handler() will call
smbXsrv_open_remove_unused(),
smbXsrv_tcon_remove_unused() and smbXsrv_session_remove_unused() as
first action.
This way we can directly response to SMB2 logoff, tdis and logoff.
In smbd_server_connection_terminate() we need think about how to
remove pending requests so that we really remove all opens, tcons and
sessions
in the first run.
As a shortcut we can just remove the pending requests from the list,
as smbd_server_connection_terminate() calls exit_server*()
But in the long run when we start to implement multichannel support,
we may just talloc_free all requests, but we need to
be careful regarding the pthreadpool usage, we need to add a way to
destroy the state of pending requests, without triggering a segfault
when the blocking syscall returns, we need to gracefully terminate the
pthread...
metze
More information about the samba-technical
mailing list