[PATCH] invalid read of deleted memory in

[Jeremy Allison]

On Thu, Feb 27, 2014 at 03:47:32PM +0000, Noel Power wrote:
> Hi,
> 
> small and probably naive patch for a valgrind error
> 
> Noel

> >From 1f962a57ab686f4a5f45d799571e4e9afc8b0440 Mon Sep 17 00:00:00 2001
> From: Noel Power <noel.power at suse.com>
> Date: Thu, 27 Feb 2014 14:52:45 +0000
> Subject: [PATCH] fix read of deleted memory in reply_writeclose
> 
> While running smbtorture test raw.write under valgrind an "Invalid read"
> was reported in methid reply_writeclose, it seems after closing a file
> sometime later we try to access it again.
> 
> Signed-off-by: Noel Power <noel.power at suse.com>
> ---
>  source3/smbd/reply.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
> index 6b56239..bf90662 100644
> --- a/source3/smbd/reply.c
> +++ b/source3/smbd/reply.c
> @@ -5223,6 +5223,8 @@ void reply_writeclose(struct smb_request *req)
>  	if(!NT_STATUS_IS_OK(close_status)) {
>  		reply_nterror(req, close_status);
>  		goto strict_unlock;
> +	} else {
> +		fsp = NULL;
>  	}
>  
>  	reply_outbuf(req, 1, 0);
> @@ -5230,7 +5232,7 @@ void reply_writeclose(struct smb_request *req)
>  	SSVAL(req->outbuf,smb_vwv0,nwritten);
>  
>  strict_unlock:
> -	if (numtowrite && !fsp->print_file) {
> +	if (numtowrite && fsp && !fsp->print_file) {
>  		SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
>  	}

Thanks for pointing that out ! It's actually worse
than that in that after we call close_file(..., fsp, ...)
we shouldn't be touching fsp again.

I'll update your fix and re-submit.

Thanks !

Jeremy.