DEVEL15-windows-smb-race-20070627

avoid a race condition when the smb_fidp is closed and an active request
is being performed on the referenced cm_scache_t.

(cherry picked from commit 7ecca7a58a5cd64c78ee20c712dfe8f419992678)

diff --git a/src/WINNT/afsd/smb3.c b/src/WINNT/afsd/smb3.c
index 3207a9d..e1887d3 100644 (file)
--- a/src/WINNT/afsd/smb3.c
+++ b/src/WINNT/afsd/smb3.c
@@ -6189,6 +6189,7 @@ long smb_ReceiveV3WriteX(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *outp)
         cm_key_t key;
         LARGE_INTEGER LOffset;
         LARGE_INTEGER LLength;
+        cm_scache_t * scp;
 
         pid = ((smb_t *) inp)->pid;
         key = cm_GenerateKey(vcp->vcID, pid, fd);
@@ -6198,9 +6199,10 @@ long smb_ReceiveV3WriteX(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *outp)
         LLength.HighPart = 0;
         LLength.LowPart = count;
 
-        lock_ObtainMutex(&fidp->scp->mx);
-        code = cm_LockCheckWrite(fidp->scp, LOffset, LLength, key);
-        lock_ReleaseMutex(&fidp->scp->mx);
+        scp = fidp->scp;
+        lock_ObtainMutex(&scp->mx);
+        code = cm_LockCheckWrite(scp, LOffset, LLength, key);
+        lock_ReleaseMutex(&scp->mx);
 
         if (code)
             goto done;
@@ -6309,15 +6311,17 @@ long smb_ReceiveV3ReadX(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *outp)
     key = cm_GenerateKey(vcp->vcID, pid, fd);
     {
         LARGE_INTEGER LOffset, LLength;
+        cm_scache_t *scp;
 
         LOffset.HighPart = offset.HighPart;
         LOffset.LowPart = offset.LowPart;
         LLength.HighPart = 0;
         LLength.LowPart = count;
 
-        lock_ObtainMutex(&fidp->scp->mx);
-        code = cm_LockCheckRead(fidp->scp, LOffset, LLength, key);
-        lock_ReleaseMutex(&fidp->scp->mx);
+        scp = fidp->scp;
+        lock_ObtainMutex(&scp->mx);
+        code = cm_LockCheckRead(scp, LOffset, LLength, key);
+        lock_ReleaseMutex(&scp->mx);
     }
 
     if (code) {