s3:smb2_notify: fix use after free on long living notify requests

This is a hack, but it should fix the bug:

   change_notify_add_request() talloc moves smb_request away,
   which is not expected by the smb2_notify.c code...

   smbd_smb2_notify_reply() uses tevent_req_defer_callback()
   (in older versions an immediate event) to defer the response.
   This is needed as change_notify_reply() will do more things
   after calling reply_fn() (smbd_smb2_notify_reply is this case)
   and often change_notify_remove_request() is called after
   change_notify_reply().

   change_notify_remove_request() implicitly free's the smb_request
   that was passed to change_notify_add_request().

   smbd_smb2_fake_smb_request() added the smb_request as smb2req->smb1req,
   which is expected to be available after smbd_smb2_notify_recv() returned.

The long term solution would be the following interface:

struct tevent_req *change_notify_request_send(TALLOC_CTX *mem_ctx,
                                              struct tevent_context *ev,
                                              struct files_struct *fsp,
                                              uint32_t max_length,
                                              uint32_t filter,
                                              bool recursive);
NTSTATUS change_notify_request_recv(struct tevent_req *req,
                                    TALLOC_CTX *mem_ctx,
                                    DATA_BLOB *buffer);

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10442

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 14 11:18:15 CET 2014 on sn-devel-104

0 files changed, 0 insertions, 0 deletions