s3 : smbd : Protect all possible code paths from fsp->op == NULL.

In changes to come this will be possible for an INTERNAL_OPEN_ONLY. The protection was already in place for some code paths, this makes the coverage compete. Bug 10564 - Lock order violation and file lost https://bugzilla.samba.org/show_bug.cgi?id=10564 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
author: Jeremy Allison <jra@samba.org> 2014-05-01 10:58:51 -0700
committer: Jeremy Allison <jra@samba.org> 2014-05-02 21:27:07 +0200
commit: bed323cebcfcf3298002ea8bc2eb6787419043b6 (patch)
tree: d6dbb15b6524bc7ecadcb02ced90f9f804502df5 /source3
parent: e8a323c73138bc132e95facfae011847e7c14aa0 (diff)
5 files changed, 41 insertions, 2 deletions
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
index ac22ba44d9..e0e042d91b 100644
--- a/source3/locking/brlock.c
+++ b/source3/locking/brlock.c
@@ -1563,12 +1563,18 @@ void brl_close_fnum(struct messaging_context *msg_ctx,
 bool brl_mark_disconnected(struct files_struct *fsp)
 {
 	uint32_t tid = fsp->conn->cnum;
-	uint64_t smblctx = fsp->op->global->open_persistent_id;
+	uint64_t smblctx;
 	uint64_t fnum = fsp->fnum;
 	unsigned int i;
 	struct server_id self = messaging_server_id(fsp->conn->sconn->msg_ctx);
 	struct byte_range_lock *br_lck = NULL;
 
+	if (fsp->op == NULL) {
+		return false;
+	}
+
+	smblctx = fsp->op->global->open_persistent_id;
+
 	if (!fsp->op->global->durable) {
 		return false;
 	}
@@ -1623,12 +1629,18 @@ bool brl_mark_disconnected(struct files_struct *fsp)
 bool brl_reconnect_disconnected(struct files_struct *fsp)
 {
 	uint32_t tid = fsp->conn->cnum;
-	uint64_t smblctx = fsp->op->global->open_persistent_id;
+	uint64_t smblctx;
 	uint64_t fnum = fsp->fnum;
 	unsigned int i;
 	struct server_id self = messaging_server_id(fsp->conn->sconn->msg_ctx);
 	struct byte_range_lock *br_lck = NULL;
 
+	if (fsp->op == NULL) {
+		return false;
+	}
+
+	smblctx = fsp->op->global->open_persistent_id;
+
 	if (!fsp->op->global->durable) {
 		return false;
 	}
diff --git a/source3/modules/vfs_btrfs.c b/source3/modules/vfs_btrfs.c
index 997a5de02f..c1e17b301e 100644
--- a/source3/modules/vfs_btrfs.c
+++ b/source3/modules/vfs_btrfs.c
@@ -116,6 +116,11 @@ static struct tevent_req *btrfs_copy_chunk_send(struct vfs_handle_struct *handle
 		return tevent_req_post(req, ev);
 	}
 
+	if (src_fsp->op == NULL || dest_fsp->op == NULL) {
+		tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+		return tevent_req_post(req, ev);
+	}
+
 	init_strict_lock_struct(src_fsp,
 				src_fsp->op->global->open_persistent_id,
 				src_off,
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index a129d81d43..06953573e6 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1393,6 +1393,10 @@ static struct tevent_req *vfswrap_copy_chunk_send(struct vfs_handle_struct *hand
 		off_t this_num = MIN(sizeof(vfs_cc_state->buf),
 				     num - vfs_cc_state->copied);
 
+		if (src_fsp->op == NULL) {
+			tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+			return tevent_req_post(req, ev);
+		}
 		init_strict_lock_struct(src_fsp,
 					src_fsp->op->global->open_persistent_id,
 					src_off,
@@ -1426,6 +1430,11 @@ static struct tevent_req *vfswrap_copy_chunk_send(struct vfs_handle_struct *hand
 
 		src_off += ret;
 
+		if (dest_fsp->op == NULL) {
+			tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+			return tevent_req_post(req, ev);
+		}
+
 		init_strict_lock_struct(dest_fsp,
 					dest_fsp->op->global->open_persistent_id,
 					dest_off,
diff --git a/source3/smbd/aio.c b/source3/smbd/aio.c
index 9c7c92c91e..2235c32eef 100644
--- a/source3/smbd/aio.c
+++ b/source3/smbd/aio.c
@@ -688,6 +688,11 @@ NTSTATUS schedule_smb2_aio_read(connection_struct *conn,
 		return NT_STATUS_RETRY;
 	}
 
+	if (fsp->op == NULL) {
+		/* No AIO on internal opens. */
+		return NT_STATUS_RETRY;
+	}
+
 	if ((!min_aio_read_size || (smb_maxcnt < min_aio_read_size))
 	    && !SMB_VFS_AIO_FORCE(fsp)) {
 		/* Too small a read for aio request. */
@@ -839,6 +844,11 @@ NTSTATUS schedule_aio_smb2_write(connection_struct *conn,
 		return NT_STATUS_RETRY;
 	}
 
+	if (fsp->op == NULL) {
+		/* No AIO on internal opens. */
+		return NT_STATUS_RETRY;
+	}
+
 	if ((!min_aio_write_size || (in_data.length < min_aio_write_size))
 	    && !SMB_VFS_AIO_FORCE(fsp)) {
 		/* Too small a write for aio request. */
diff --git a/source3/smbd/scavenger.c b/source3/smbd/scavenger.c
index e6e2878806..122305e04b 100644
--- a/source3/smbd/scavenger.c
+++ b/source3/smbd/scavenger.c
@@ -418,6 +418,9 @@ void scavenger_schedule_disconnected(struct files_struct *fsp)
 	struct scavenger_message msg;
 	DATA_BLOB msg_blob;
 
+	if (fsp->op == NULL) {
+		return;
+	}
 	nttime_to_timeval(&disconnect_time, fsp->op->global->disconnect_time);
 	timeout_usec = 1000 * fsp->op->global->durable_timeout_msec;
 	until = timeval_add(&disconnect_time,
author	Jeremy Allison <jra@samba.org>	2014-05-01 10:58:51 -0700
committer	Jeremy Allison <jra@samba.org>	2014-05-02 21:27:07 +0200
commit	bed323cebcfcf3298002ea8bc2eb6787419043b6 (patch)
tree	d6dbb15b6524bc7ecadcb02ced90f9f804502df5 /source3
parent	e8a323c73138bc132e95facfae011847e7c14aa0 (diff)