[PATCH] Fix bug 13602

[Volker Lendecke]

Hi!

4.6 is not affected, 4.7 and following are.

Review appreciated!

Thanks, Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

Meet us at Storage Developer Conference (SDC)
Santa Clara, CA USA, September 24th-27th 2018
-------------- next part --------------
From 83582bfa95f4465684e852601a65fa47c81c8e82 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 3 Sep 2018 15:54:48 +0200
Subject: [PATCH] smbd: Fix a memleak in async search ask sharemode

fetch_share_mode_unlocked_parser() takes a "struct
fetch_share_mode_unlocked_state *" as
"private_data". fetch_share_mode_send() used a talloc_zero'ed "struct
share_mode_lock". This lead to the parser putting a "struct
share_mode_lock on the NULL talloc_context where nobody really picked it
up.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13602
Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/locking/share_mode_lock.c | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c
index fce0c335ec3..ee67e1d8159 100644
--- a/source3/locking/share_mode_lock.c
+++ b/source3/locking/share_mode_lock.c
@@ -673,7 +673,7 @@ static void fetch_share_mode_done(struct tevent_req *subreq);
 struct fetch_share_mode_state {
 	struct file_id id;
 	TDB_DATA key;
-	struct share_mode_lock *lck;
+	struct fetch_share_mode_unlocked_state parser_state;
 	enum dbwrap_req_state req_state;
 };
 
@@ -721,17 +721,14 @@ struct tevent_req *fetch_share_mode_send(TALLOC_CTX *mem_ctx,
 
 	state->id = id;
 	state->key = locking_key(&state->id);
-	state->lck = talloc_zero(state, struct share_mode_lock);
-	if (tevent_req_nomem(state->lck, req)) {
-		return tevent_req_post(req, ev);
-	}
+	state->parser_state.mem_ctx = state;
 
 	subreq = dbwrap_parse_record_send(state,
 					  ev,
 					  lock_db,
 					  state->key,
 					  fetch_share_mode_unlocked_parser,
-					  state->lck,
+					  &state->parser_state,
 					  &state->req_state);
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);
@@ -775,12 +772,12 @@ NTSTATUS fetch_share_mode_recv(struct tevent_req *req,
 		return status;
 	}
 
-	if (state->lck->data == NULL) {
+	if (state->parser_state.lck->data == NULL) {
 		tevent_req_received(req);
 		return NT_STATUS_NOT_FOUND;
 	}
 
-	lck = talloc_move(mem_ctx, &state->lck);
+	lck = talloc_move(mem_ctx, &state->parser_state.lck);
 
 	if (DEBUGLEVEL >= 10) {
 		DBG_DEBUG("share_mode_data:\n");
-- 
2.11.0