From: Ralph Boehme <slow@samba.org>
Date: Wed, 17 Mar 2021 15:22:37 +0000 (+0100)
Subject: smbd: reset dangling watch_req pointer in poll_open_done
X-Git-Tag: tevent-0.11.0~1462
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=065ed088b3d5710c288e46a5bf1e063f9a29c8cc;p=thirdparty%2Fsamba.git

smbd: reset dangling watch_req pointer in poll_open_done

We just freed subreq and a pointer to subreq is stored in open_rec->watch_req,
so we must invalidate the pointer.

Otherwise if the poll open timer fires it will do a

  TALLOC_FREE(open_rec->watch_req);

on the dangling pointer which may crash or do something worse like freeing some
other random talloc memory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 5b3dc246e8a..fd4536b4914 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3040,6 +3040,8 @@ static void poll_open_done(struct tevent_req *subreq)
 
 	status = share_mode_watch_recv(subreq, NULL, NULL);
 	TALLOC_FREE(subreq);
+	open_rec->watch_req = NULL;
+
 	DBG_DEBUG("dbwrap_watched_watch_recv returned %s\n",
 		  nt_errstr(status));