[PATCH] Patchset for bug #10344 - SessionLogoff on a signed connection with an outstanding notify request crashes smbd.
Jeremy Allison
jra at samba.org
Mon Mar 3 09:59:04 MST 2014
On Tue, Feb 25, 2014 at 02:56:53PM -0800, Jeremy Allison wrote:
> Hi all,
>
> Here is a patchset to fix a bug Codenomicon
> scans found in our SMB2/3 implementation.
>
> [Bug 10344] SessionLogoff on a signed connection with an outstanding notify request crashes smbd.
> https://bugzilla.samba.org/show_bug.cgi?id=10344
>
> Sending a SMB2 Notify that goes async
> followed by a SessionLogoff on a signed
> connection will crash the server.
>
> The problem is we don't cancel the
> outstanding requests for a session
> when we receive a SessionLogoff or
> a TreeDisconnect.
>
> This patchset implements this by
> making both SessionLogoff and
> TreeDisconnect in SMB2/3 asynchronous.
>
> On receipt of a SessionLogoff or
> TreeDisconnect is looks over the
> pending request list and calls
> tevent_req_cancel() on any cancelable
> requests (it ignores any that are
> not cancelable, but all requests
> that can go async are cancelable).
>
> It then reschedules itself and
> re-scans when it's rescheduled,
> and if all cancelable requests
> are finished it then replies.
>
> If there are no pending requests
> it just replies as normal with
> a tevent_req_done(req); return tevent_req_post(req, ev);
> pair at the end of the _send
> function.
>
> Finally I've added two tests
> that excersise these functions
> with pending requests outstanding
> in the smb2.notify smbtorture
> test.
>
> I'm pretty happy with this patchset,
> as it fixes a longstanding issue.
>
> Reviews appreciated !
Ping ! Metze (or others :-), can you review the patch
this week please ?
Thanks,
Jeremy.
More information about the samba-technical
mailing list