diff options
author | Noel Power <nopower@suse.com> | 2014-02-27 12:07:11 -0800 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2014-05-02 15:39:19 +0200 |
commit | 4386827f919cf3679fde99e5f4e63ad81efa68de (patch) | |
tree | b32f81db7dc33f8475ac08385b81b48cc677ae03 /source3 | |
parent | deadf7095c3ad7f93e8d099052503b0a334b9eec (diff) | |
download | samba-4386827f919cf3679fde99e5f4e63ad81efa68de.tar.gz |
s3: smbd - smb1 - fix read of deleted memory in reply_writeclose().
While running smbtorture test raw.write under valgrind an "Invalid read"
was reported in methid reply_writeclose, it seems after closing a file
sometime later we try to access it again.
Signed-off-by: Noel Power <noel.power@suse.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Mar 3 20:42:40 CET 2014 on sn-devel-104
(cherry picked from commit 04e434661fa6b5f13776f925b0a7cbadb6b6d006)
Fix bug #10554 - request backport for 'smb1 - fix read of deleted memory in
reply_writeclose()'.
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Fri May 2 15:39:19 CEST 2014 on sn-devel-104
Diffstat (limited to 'source3')
-rw-r--r-- | source3/smbd/reply.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index adf4b6fe677..902b43f6d69 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -5193,7 +5193,7 @@ void reply_writeclose(struct smb_request *req) mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4)); data = (const char *)req->buf + 1; - if (!fsp->print_file) { + if (fsp->print_file == NULL) { init_strict_lock_struct(fsp, (uint64_t)req->smbpid, (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, &lock); @@ -5207,6 +5207,10 @@ void reply_writeclose(struct smb_request *req) nwritten = write_file(req,fsp,data,startpos,numtowrite); + if (fsp->print_file == NULL) { + SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock); + } + set_close_write_time(fsp, mtime); /* @@ -5214,34 +5218,32 @@ void reply_writeclose(struct smb_request *req) * JRA. */ + DEBUG(3,("writeclose %s num=%d wrote=%d (numopen=%d)\n", + fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten, + (numtowrite) ? conn->num_files_open - 1 : conn->num_files_open)); + if (numtowrite) { DEBUG(3,("reply_writeclose: zero length write doesn't close " "file %s\n", fsp_str_dbg(fsp))); close_status = close_file(req, fsp, NORMAL_CLOSE); + fsp = NULL; } - DEBUG(3,("writeclose %s num=%d wrote=%d (numopen=%d)\n", - fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten, - conn->num_files_open)); - if(((nwritten == 0) && (numtowrite != 0))||(nwritten < 0)) { reply_nterror(req, NT_STATUS_DISK_FULL); - goto strict_unlock; + goto out; } if(!NT_STATUS_IS_OK(close_status)) { reply_nterror(req, close_status); - goto strict_unlock; + goto out; } reply_outbuf(req, 1, 0); SSVAL(req->outbuf,smb_vwv0,nwritten); -strict_unlock: - if (numtowrite && !fsp->print_file) { - SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock); - } +out: END_PROFILE(SMBwriteclose); return; |