[PATCH] Version 2: Patchset for bug #10344 - SessionLogoff on a signed connection with an outstanding notify request crashes smbd.

Stefan (metze) Metzmacher metze at samba.org
Wed Mar 12 09:32:51 MDT 2014


Am 12.03.2014 16:30, schrieb Stefan (metze) Metzmacher:
> Am 11.03.2014 22:59, schrieb Jeremy Allison:
>> On Tue, Mar 11, 2014 at 01:59:08PM -0700, Jeremy Allison wrote:
>>>
>>> CONCLUSION (if anyone actually gets down as far as this :-).
>>> ------------------------------------------------------------
>>>
>>> I agree on tmp1.diff and tmp2.diff, with the 'Signed-off-by'
>>> change mentioned above.
>>>
>>> I hate it, but the tevent_queue_wait_send() already exists
>>> and is in use inside our code, and even though I think my
>>> code is easier to understand people can disagree, so in
>>> the interests of not adding extra API's I'm willing to accept
>>> metze's fix in place of mine.
>>>
>>> I also think (at least for the smb2_sesssetup.c
>>> and smb2_tcon.c changes that we should change the
>>> 'Signed-off-by' lines to include both Metze and
>>> myself, as this has been a herculean effort from
>>> both of us.
>>
>> Here is the proposed patchset for master. Even
>> though I like my API better, I recognise when it's
>> a reinvention of what is already there :-).
> 
> Thanks!
> 
>> Metze, if you're OK with this I'll push to
>> master and work on back-ports for 4.1.x,
>> 4.0.x for the bug report.
> 
> Here's an updated version I changed the authorship to you for 2 commits
> and added Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
> and Signed-off-by: Stefan Metzmacher <metze at samba.org>
> to the commits we both modified.
> 
> For the backports we need to copy tevent_queue_wait_* to
> something like smbd_queue_wait_*, as it was recently added in
> tevent-0.9.20 and not available in v4-0-test and v4-1-test.
> In order to make it easier for packagers I'd say that would
> should not require a newer tevent version there.

But we need to test this a bit, I'm not sure anymore, but
commit 7fe5584e2a59584431cb2ddf8a4da22bfb924454
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jan 11 08:58:05 2014 +0100

    tevent: fix crash bug in tevent_queue_immediate_trigger()

    Assume we we have a queue with 2 entries (A and B with triggerA()
and triggerB()).
    If triggerA() removes itself tevent_queue_entry_destructor() will be
called
    for A, this schedules the immediate event to call triggerB().
    If triggerA() then also removes B by an explicit of implizit
talloc_free(),
    q->list is NULL, but the immediate event is still scheduled and
can't be unscheduled.

    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

might be needed...

metze


More information about the samba-technical mailing list