diff options
author | Jeremy Allison <jra@samba.org> | 2020-09-26 22:14:33 -0700 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-11-19 12:39:01 +0000 |
commit | dcce5e5bf679e8d9afeb9bb9455da2c98b3ae7b2 (patch) | |
tree | a831236bf673bbb53c143111c977e78e71ad299b | |
parent | 4873f377e75d5104b4ca2afbc36783b850463eb0 (diff) | |
download | samba-dcce5e5bf679e8d9afeb9bb9455da2c98b3ae7b2.tar.gz |
s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE().
They may have been carefully set by the aio_del_req_from_fsp()
destructor so we must not overwrite here.
Found via some *amazing* debugging work from Ashok Ramakrishnan <aramakrishnan@nasuni.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14515
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Sep 30 11:18:43 UTC 2020 on sn-devel-184
(cherry picked from commit fca8cb63762faff54cda243c1ed8217b36333131)
-rw-r--r-- | source3/smbd/close.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/source3/smbd/close.c b/source3/smbd/close.c index 1a6e33b4403..42be29b03be 100644 --- a/source3/smbd/close.c +++ b/source3/smbd/close.c @@ -666,7 +666,19 @@ static void assert_no_pending_aio(struct files_struct *fsp, * fsp->aio_requests[x], causing a crash. */ while (fsp->num_aio_requests != 0) { - TALLOC_FREE(fsp->aio_requests[0]); + /* + * NB. We *MUST* use + * talloc_free(fsp->aio_requests[0]), + * and *NOT* TALLOC_FREE() here, as + * TALLOC_FREE(fsp->aio_requests[0]) + * will overwrite any new contents of + * fsp->aio_requests[0] that were + * copied into it via the destructor + * aio_del_req_from_fsp(). + * + * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14515 + */ + talloc_free(fsp->aio_requests[0]); } return; } |