From: Jeremy Allison <jra@samba.org>
Date: Sun, 27 Sep 2020 05:14:33 +0000 (-0700)
Subject: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE().
X-Git-Tag: samba-4.12.11~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dcce5e5bf679e8d9afeb9bb9455da2c98b3ae7b2;p=thirdparty%2Fsamba.git

s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE().

They may have been carefully set by the aio_del_req_from_fsp()
destructor so we must not overwrite here.

Found via some *amazing* debugging work from Ashok Ramakrishnan <aramakrishnan@nasuni.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14515

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Sep 30 11:18:43 UTC 2020 on sn-devel-184

(cherry picked from commit fca8cb63762faff54cda243c1ed8217b36333131)
---

diff --git a/source3/smbd/close.c b/source3/smbd/close.c
index 1a6e33b4403..42be29b03be 100644
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -666,7 +666,19 @@ static void assert_no_pending_aio(struct files_struct *fsp,
 		 * fsp->aio_requests[x], causing a crash.
 		 */
 		while (fsp->num_aio_requests != 0) {
-			TALLOC_FREE(fsp->aio_requests[0]);
+			/*
+			 * NB. We *MUST* use
+			 * talloc_free(fsp->aio_requests[0]),
+			 * and *NOT* TALLOC_FREE() here, as
+			 * TALLOC_FREE(fsp->aio_requests[0])
+			 * will overwrite any new contents of
+			 * fsp->aio_requests[0] that were
+			 * copied into it via the destructor
+			 * aio_del_req_from_fsp().
+			 *
+			 * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14515
+			 */
+			talloc_free(fsp->aio_requests[0]);
 		}
 		return;
 	}