git.samba.org / amitay / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e102908)
s3: VFS: vfs_default. Protect vfs_pread_done() from accessing a freed req pointer.
authorJeremy Allison <jra@samba.org>
Fri, 28 Feb 2020 00:40:46 +0000 (16:40 -0800)
committerJeremy Allison <jra@samba.org>
Sun, 8 Mar 2020 18:07:43 +0000 (18:07 +0000)
If the fsp is forced closed by a SHUTDOWN_CLOSE whilst the
request is in flight (share forced closed by smbcontrol),
then we set state->req = NULL in the state destructor.

The existing state destructor prevents the state memory
from being freed, so when the thread completes and calls
vfs_pread_done(), just throw away the result if
state->req == NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14301

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
source3/modules/vfs_default.c patch | blob | history

diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index b8c36180b7c137b034343199b0c1c93d30907a44..21bc9c7adf78099cd42b3a1eedd1a771d09d543b 100644 (file)
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -863,6 +863,15 @@ static void vfs_pread_do(void *private_data)
 
 static int vfs_pread_state_destructor(struct vfswrap_pread_state *state)
 {
+       /*
+        * This destructor only gets called if the request is still
+        * in flight, which is why we deny it by returning -1. We
+        * also set the req pointer to NULL so the _done function
+        * can detect the caller doesn't want the result anymore.
+        *
+        * Forcing the fsp closed by a SHUTDOWN_CLOSE can cause this.
+        */
+       state->req = NULL;
        return -1;
 }
 
@@ -877,6 +886,17 @@ static void vfs_pread_done(struct tevent_req *subreq)
        TALLOC_FREE(subreq);
        SMBPROFILE_BYTES_ASYNC_END(state->profile_bytes);
        talloc_set_destructor(state, NULL);
+       if (req == NULL) {
+               /*
+                * We were shutdown closed in flight. No one
+                * wants the result, and state has been reparented
+                * to the NULL context, so just free it so we
+                * don't leak memory.
+                */
+               DBG_NOTICE("pread request abandoned in flight\n");
+               TALLOC_FREE(state);
+               return;
+       }
        if (ret != 0) {
                if (ret != EAGAIN) {
                        tevent_req_error(req, ret);
Amitay's Samba development tree