Additional patch for bug 11581

Stefan Metzmacher metze at samba.org
Mon Nov 2 13:22:06 UTC 2015


Hi,

here's an additional fix for
https://bugzilla.samba.org/show_bug.cgi?id=11581

I guess there's no real problem because the cancel
request is added with DLIST_ADD_END() at the end
and we would find the real request first in the list.
And if we really find the cancel request itself
cur->subreq is still NULL and there's no real problem.

However we should avoid potential confusion and
remove the cancel request before looping over
all requests.

Please review and push:-)

metze
-------------- next part --------------
From e71c04765cfeb7a4ae8f8cc6dc0f14b2b3eec0eb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 2 Nov 2015 13:40:24 +0100
Subject: [PATCH] s3:smb2_server: make the logic of SMB2_CANCEL DLIST_REMOVE()
 clearer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11581

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/smbd/smb2_server.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index ddaba38..f27e797 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1703,6 +1703,14 @@ static NTSTATUS smbd_smb2_request_process_cancel(struct smbd_smb2_request *req)
 	search_message_id = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
 	search_async_id = BVAL(inhdr, SMB2_HDR_PID);
 
+	/*
+	 * We don't need the request anymore cancel requests never
+	 * have a response.
+	 *
+	 * We defer the TALLOC_FREE(req) to the caller.
+	 */
+	DLIST_REMOVE(xconn->smb2.requests, req);
+
 	for (cur = xconn->smb2.requests; cur; cur = cur->next) {
 		const uint8_t *outhdr;
 		uint64_t message_id;
@@ -2347,8 +2355,10 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		/*
 		 * We don't need the request anymore cancel requests never
 		 * have a response.
+		 *
+		 * smbd_smb2_request_process_cancel() already called
+		 * DLIST_REMOVE(xconn->smb2.requests, req);
 		 */
-		DLIST_REMOVE(xconn->smb2.requests, req);
 		TALLOC_FREE(req);
 
 		break;
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151102/db66303f/signature.sig>


More information about the samba-technical mailing list