smbd: free open_rec state in remove_deferred_open_message_smb2_internal()

The lifetime of open_rec (struct deferred_open_record) ojects is the time
processing the SMB open request every time the request is scheduled, ie once we
reschedule we must wipe the slate clean. In case the request gets deferred
again, a new open_rec will be created by the schedule functions.

This ensures any timer-event tied to the open_rec gets cancelled and doesn't
fire unexpectedly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843
RN: smbd panic when two clients open same file

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 18 18:04:09 UTC 2021 on sn-devel-184

diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 2dd3745dd329dc28680425b5da110fd43a025efd..8ff57c94aa0c6347accad590b4c6090b421f89bc 100644 (file)
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -1714,6 +1714,7 @@ static void remove_deferred_open_message_smb2_internal(struct smbd_smb2_request
        state->open_was_deferred = false;
        /* Ensure we don't have any outstanding immediate event. */
        TALLOC_FREE(state->im);
+       TALLOC_FREE(state->open_rec);
 }
 
 void remove_deferred_open_message_smb2(