From: Ralph Boehme <slow@samba.org>
Date: Tue, 16 Mar 2021 17:18:46 +0000 (+0100)
Subject: smbd: free open_rec state in remove_deferred_open_message_smb2_internal()
X-Git-Tag: tevent-0.11.0~1460
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=591c9196962b695b01c0d86918b8f8a263e9665c;p=thirdparty%2Fsamba.git

smbd: free open_rec state in remove_deferred_open_message_smb2_internal()

The lifetime of open_rec (struct deferred_open_record) ojects is the time
processing the SMB open request every time the request is scheduled, ie once we
reschedule we must wipe the slate clean. In case the request gets deferred
again, a new open_rec will be created by the schedule functions.

This ensures any timer-event tied to the open_rec gets cancelled and doesn't
fire unexpectedly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843
RN: smbd panic when two clients open same file

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 18 18:04:09 UTC 2021 on sn-devel-184
---

diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 2dd3745dd32..8ff57c94aa0 100644
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -1714,6 +1714,7 @@ static void remove_deferred_open_message_smb2_internal(struct smbd_smb2_request
 	state->open_was_deferred = false;
 	/* Ensure we don't have any outstanding immediate event. */
 	TALLOC_FREE(state->im);
+	TALLOC_FREE(state->open_rec);
 }
 
 void remove_deferred_open_message_smb2(