From de398573fe753a347cba35666fcf84b30a3307f7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 11 Apr 2018 12:14:59 +0200
Subject: [PATCH] s3:smb2_server: correctly maintain request counters for
 compound requests

If a session expires during a compound request chain,
we exit smbd_smb2_request_dispatch() with
'return smbd_smb2_request_error(req, ...)' before
calling smbd_smb2_request_dispatch_update_counts().

As req->request_counters_updated was only reset
within smbd_smb2_request_dispatch_update_counts(),
smbd_smb2_request_reply_update_counts() was called
twice on the same request, which triggers
SMB_ASSERT(op->request_count > 0);

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 87e25cd1e45bfe57292b62ffc44ddafc01c61ca0)
---
 source3/smbd/smb2_server.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index ee03a8eb0bb..177e5ffc2f2 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -2180,7 +2180,7 @@ static NTSTATUS smbd_smb2_request_dispatch_update_counts(
 	bool update_open = false;
 	NTSTATUS status = NT_STATUS_OK;
 
-	req->request_counters_updated = false;
+	SMB_ASSERT(!req->request_counters_updated);
 
 	if (xconn->protocol < PROTOCOL_SMB2_22) {
 		return NT_STATUS_OK;
@@ -2315,6 +2315,8 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 
 	DO_PROFILE_INC(request);
 
+	SMB_ASSERT(!req->request_counters_updated);
+
 	/* TODO: verify more things */
 
 	flags = IVAL(inhdr, SMB2_HDR_FLAGS);
@@ -2755,6 +2757,8 @@ static void smbd_smb2_request_reply_update_counts(struct smbd_smb2_request *req)
 		return;
 	}
 
+	req->request_counters_updated = false;
+
 	if (xconn->protocol < PROTOCOL_SMB2_22) {
 		return;
 	}
-- 
2.11.4.GIT