| commit | 9bf23912b3cc82639bf2e2f9138ddb6dff2559ee | |
| author | Stefan Metzmacher <metze@samba.org> | |
| Fri, 9 Jun 2017 10:30:33 +0000 (9 12:30 +0200) | ||
| committer | Karolin Seeger <kseeger@samba.org> | |
| Fri, 30 Jun 2017 08:50:22 +0000 (30 10:50 +0200) | ||
| tree | 2cd543614cec654e2d07947d4d1f7f976e8983fc | treesnapshot (tar.gz zip) |
| parent | d2bf63c93f2717a405727c4e1024d4c8347a142d | commitdiff |
s3:smb2_create: avoid reusing the 'tevent_req' within smbd_smb2_create_send()
As the caller ("smbd_smb2_request_process_create()") already sets the callback,
the first time, it's not safe to reuse the tevent_req structure.
The typical 'tevent_req_nterror(); return tevent_req_post()' will
crash as the tevent_req_nterror() already triggered the former callback,
which calls smbd_smb2_create_recv(), were tevent_req_received() invalidates
the tevent_req structure, so that tevent_req_post() will crash.
We just remember the required values from the old state
and move them to the new state.
We tried to write reproducers for this, but sadly weren't able to trigger
the backtrace we had from a create a customer (using recent code)
with commit 6beba782f1bf951236813e0b46115b8102212c03
included. And this patch fixed the situation for the
customer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12832
Pair-Programmed-With: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 02146ea5ee729de0e49ecf617e6983f4e61fbe59)
As the caller ("smbd_smb2_request_process_create()") already sets the callback,
the first time, it's not safe to reuse the tevent_req structure.
The typical 'tevent_req_nterror(); return tevent_req_post()' will
crash as the tevent_req_nterror() already triggered the former callback,
which calls smbd_smb2_create_recv(), were tevent_req_received() invalidates
the tevent_req structure, so that tevent_req_post() will crash.
We just remember the required values from the old state
and move them to the new state.
We tried to write reproducers for this, but sadly weren't able to trigger
the backtrace we had from a create a customer (using recent code)
with commit 6beba782f1bf951236813e0b46115b8102212c03
included. And this patch fixed the situation for the
customer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12832
Pair-Programmed-With: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 02146ea5ee729de0e49ecf617e6983f4e61fbe59)
| source3/smbd/smb2_create.c | diffblobblamehistory |