s3: libsmb: cli_state_save_tcon(). Don't deepcopy tcon struct when temporarily swapping out a connection on a cli_state.

This used to make a deep copy of either
cli->smb2.tcon or cli->smb1.tcon, but this leaves
the original tcon pointer in place which will then get
TALLOC_FREE()'d when the new tree connection is made on
this cli_state.

As there may be pipes open on the old tree connection with
talloc'ed state allocated using the original tcon pointer as a
talloc parent we can't deep copy and then free this pointer
as that will fire the destructors on the pipe memory and
mark them as not connected.

This call is used to temporarily swap out a tcon pointer
(whilst keeping existing pipes open) to allow a new tcon
on the same cli_state and all users correctly call
cli_state_restore_tcon() once they are finished with
the new tree connection.

Just return the existing pointer and set the old value to NULL.
We know we MUST be calling cli_state_restore_tcon() below
to restore the original tcon tree connection pointer before
closing the session.

Remove the knownfail.d entry.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13992

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb  2 21:05:25 UTC 2021 on sn-devel-184

(cherry picked from commit 4f80f5f9046b64a9e5e0503b1cb54f1492c4faec)

Autobuild-User(v4-14-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-14-test): Wed Feb  3 22:32:58 UTC 2021 on sn-devel-184

2 files changed, 28 insertions, 4 deletions

diff --git a/selftest/knownfail.d/bug-13992 b/selftest/knownfail.d/bug-13992
deleted file mode 100644
index 76365f09303..00000000000
--- a/selftest/knownfail.d/bug-13992
+++ /dev/null
@@ -1,2 +0,0 @@
-# bug 13992
-^samba3.blackbox.net_rpc_share_allowedusers.net_rpc_share_allowedusers\(nt4_dc\)
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index d117885b8f7..e86f52dac0d 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -348,11 +348,37 @@ uint32_t cli_state_set_tid(struct cli_state *cli, uint32_t tid)
 
 struct smbXcli_tcon *cli_state_save_tcon(struct cli_state *cli)
 {
+	/*
+	 * Note. This used to make a deep copy of either
+	 * cli->smb2.tcon or cli->smb1.tcon, but this leaves
+	 * the original pointer in place which will then get
+	 * TALLOC_FREE()'d when the new connection is made on
+	 * this cli_state.
+	 *
+	 * As there may be pipes open on the old connection with
+	 * talloc'ed state allocated using the tcon pointer as a
+	 * parent we can't deep copy and then free this as that
+	 * closes the open pipes.
+	 *
+	 * This call is used to temporarily swap out a tcon pointer
+	 * to allow a new tcon on the same cli_state.
+	 *
+	 * Just return the raw pointer and set the old value to NULL.
+	 * We know we MUST be calling cli_state_restore_tcon() below
+	 * to restore before closing the session.
+	 *
+	 * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=13992
+	 */
+	struct smbXcli_tcon *tcon_ret = NULL;
+
 	if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
-		return smbXcli_tcon_copy(cli, cli->smb2.tcon);
+		tcon_ret = cli->smb2.tcon;
+		cli->smb2.tcon = NULL; /* *Not* TALLOC_FREE(). */
 	} else {
-		return smbXcli_tcon_copy(cli, cli->smb1.tcon);
+		tcon_ret = cli->smb1.tcon;
+		cli->smb1.tcon = NULL; /* *Not* TALLOC_FREE(). */
 	}
+	return tcon_ret;
 }
 
 void cli_state_restore_tcon(struct cli_state *cli, struct smbXcli_tcon *tcon)