From ecef3fe077d6a44659c7bb9d30dfcab61c64f0e8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 1 Jul 2020 18:02:16 +0200
Subject: [PATCH] s3:smbd: make sure we detect stale smbXsrv_connection
 pointers in smbXsrv_session_auth0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Pointer values can be reused (yes, I hit that during my testing!).
Introduce a channel_id to identify connections and also add
some timestamps to make debugging easier.

This makes smbXsrv_session_find_auth() much more robust.

This is a similar change as 0cec96526bf4d3209caf36c4a19632ff5d5dd112:
 "smb2_server: make sure we detect stale smbXsrv_connection pointers in smbXsrv_channel_global"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11898

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: GÃ¼nther Deschner <gd@samba.org>
---
 source3/librpc/idl/smbXsrv.idl | 1 +
 source3/smbd/smbXsrv_session.c | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl
index 1ecc40fcaac..a74ac42b312 100644
--- a/source3/librpc/idl/smbXsrv.idl
+++ b/source3/librpc/idl/smbXsrv.idl
@@ -284,6 +284,7 @@ interface smbXsrv
 		uint8					in_security_mode;
 		NTTIME					creation_time;
 		NTTIME					idle_time;
+		hyper					channel_id;
 	} smbXsrv_session_auth0;
 
 	typedef struct {
diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c
index 8eaa9fdcbab..c55a57885a5 100644
--- a/source3/smbd/smbXsrv_session.c
+++ b/source3/smbd/smbXsrv_session.c
@@ -1464,6 +1464,10 @@ NTSTATUS smbXsrv_session_find_auth(const struct smbXsrv_session *session,
 	struct smbXsrv_session_auth0 *a;
 
 	for (a = session->pending_auth; a != NULL; a = a->next) {
+		if (a->channel_id != conn->channel_id) {
+			continue;
+		}
+
 		if (a->connection == conn) {
 			if (now != 0) {
 				a->idle_time = now;
@@ -1512,6 +1516,7 @@ NTSTATUS smbXsrv_session_create_auth(struct smbXsrv_session *session,
 	a->in_security_mode = in_security_mode;
 	a->creation_time = now;
 	a->idle_time = now;
+	a->channel_id = conn->channel_id;
 
 	if (conn->protocol >= PROTOCOL_SMB3_10) {
 		a->preauth = talloc(a, struct smbXsrv_preauth);
-- 
2.47.3