From: Volker Lendecke <vl@samba.org>
Date: Wed, 4 Nov 2020 12:35:26 +0000 (+0100)
Subject: smbd: Avoid share_mode_lock dereference in scavenger
X-Git-Tag: samba-4.14.0rc1~660
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3d33eee53663e16f6b7c2e5e1d6632900ad7d6c2;p=thirdparty%2Fsamba.git

smbd: Avoid share_mode_lock dereference in scavenger

Pass "struct file_id" to callees without accessing share_mode_lock
internals

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source3/smbd/scavenger.c b/source3/smbd/scavenger.c
index 8e7ed0572d8..6e8f97b530f 100644
--- a/source3/smbd/scavenger.c
+++ b/source3/smbd/scavenger.c
@@ -467,6 +467,7 @@ struct scavenger_timer_context {
 };
 
 struct cleanup_disconnected_state {
+	struct file_id fid;
 	struct share_mode_lock *lck;
 	uint64_t open_persistent_id;
 	size_t num_disconnected;
@@ -479,8 +480,7 @@ static bool cleanup_disconnected_lease(struct share_mode_entry *e,
 	struct cleanup_disconnected_state *state = private_data;
 	NTSTATUS status;
 
-	status = leases_db_del(
-		&e->client_guid, &e->lease_key, &state->lck->data->id);
+	status = leases_db_del(&e->client_guid, &e->lease_key, &state->fid);
 
 	if (!NT_STATUS_IS_OK(status)) {
 		DBG_DEBUG("leases_db_del failed: %s\n",
@@ -506,7 +506,7 @@ static bool share_mode_find_connected_fn(
 		struct server_id_buf tmp2;
 		DBG_INFO("file (file-id='%s', servicepath='%s', name='%s') "
 			 "is used by server %s ==> do not cleanup\n",
-			 file_id_str_buf(d->id, &tmp1),
+			 file_id_str_buf(state->fid, &tmp1),
 			 d->servicepath,
 			 name,
 			 server_id_str_buf(e->pid, &tmp2));
@@ -522,7 +522,7 @@ static bool share_mode_find_connected_fn(
 			 "(file-id='%s', servicepath='%s', name='%s') "
 			 "has share_file_id %"PRIu64" but expected "
 			 "%"PRIu64"==> do not cleanup\n",
-			 file_id_str_buf(d->id, &tmp),
+			 file_id_str_buf(state->fid, &tmp),
 			 d->servicepath,
 			 name,
 			 e->share_file_id,
@@ -554,7 +554,7 @@ static bool cleanup_disconnected_share_mode_entry_fn(
 		struct server_id_buf tmp2;
 		DBG_ERR("file (file-id='%s', servicepath='%s', name='%s') "
 			"is used by server %s ==> internal error\n",
-			file_id_str_buf(d->id, &tmp1),
+			file_id_str_buf(state->fid, &tmp1),
 			d->servicepath,
 			name,
 			server_id_str_buf(e->pid, &tmp2));
@@ -574,6 +574,7 @@ static bool share_mode_cleanup_disconnected(
 	struct file_id fid, uint64_t open_persistent_id)
 {
 	struct cleanup_disconnected_state state = {
+		.fid = fid,
 		.open_persistent_id = open_persistent_id
 	};
 	struct share_mode_data *data;