From: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Date: Fri, 3 Nov 2017 22:33:28 +0000 (+0000)
Subject: s3: smbd: Fix delete-on-close after smb2_find
X-Git-Tag: samba-4.6.10~29
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b3ac865e3b3d87c3bafaa4ddb109d387c3beec26;p=thirdparty%2Fsamba.git

s3: smbd: Fix delete-on-close after smb2_find

Both dptr_create() and can_delete_directory_fsp() are calling OpenDir_fsp()
to get a directory handle. This causes an issue when delete-on-close is
set after smb2_find because both directory handle instances share the same
underlying file descriptor. In addition the SMB_ASSERT() in destructor
smb_Dir_destructor() gets triggered.

To avoid this use OpenDir() instead of OpenDir_fsp().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13118

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit c9e996d78df3ce326a5c13f8f4f1426918769ceb)
---

diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index 1348d12298c..98ffebbc9e9 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -2127,9 +2127,9 @@ NTSTATUS can_delete_directory_fsp(files_struct *fsp)
 	char *talloced = NULL;
 	SMB_STRUCT_STAT st;
 	struct connection_struct *conn = fsp->conn;
-	struct smb_Dir *dir_hnd = OpenDir_fsp(talloc_tos(),
+	struct smb_Dir *dir_hnd = OpenDir(talloc_tos(),
 					conn,
-					fsp,
+					fsp->fsp_name,
 					NULL,
 					0);