When walking the SMB2 requests queue, ensure the request is still "in flight"

before examining the details.

SMB2 requests stay on the queue until their out.vector has been
send, only then are they talloc_free'd.

Thanks for Ira Cooper <ira@wakeful.net> for giving me the
backtrace showing this.

Jeremy.

diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 3302730fbe07cc3bc797b6b07b1fd0f53c9fb2e7..377db3214862b57a76025ad9f7571ad3f15f2ac1 100644 (file)
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -877,7 +877,16 @@ static struct smbd_smb2_request *find_open_smb2req(uint64_t mid)
        struct smbd_smb2_request *smb2req;
 
        for (smb2req = sconn->smb2.requests; smb2req; smb2req = smb2req->next) {
-               uint64_t message_id = get_mid_from_smb2req(smb2req);
+               uint64_t message_id;
+               if (smb2req->subreq == NULL) {
+                       /* This message has been processed. */
+                       continue;
+               }
+               if (!tevent_req_is_in_progress(smb2req->subreq)) {
+                       /* This message has been processed. */
+                       continue;
+               }
+               message_id = get_mid_from_smb2req(smb2req);
                if (message_id == mid) {
                        return smb2req;
                }