smbd: Fix bug 10593

Bug 10593 is a panic that happens if we get an oplock break reply via
dbwrap_watch for which we can't find the SMB request anymore. This
error condition can legally happen when a client cancels the create
request before the oplock break response comes in. This patch drops the
dbwrap_watch_send request waiting for the oplock break when the request
is cancelled. Yet another talloc hierarchy problem, but if done right,
talloc hierarchies can make rundown of state easy :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 9cbc046760fb3b70e4769e07edb615f0c7f7b56a..b913c9c576debd5ca6747e553258f50253ed29ea 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1585,7 +1585,7 @@ static void defer_open(struct share_mode_lock *lck,
                struct tevent_req *watch_req;
                bool ret;
 
-               watch_state = talloc(req->sconn, struct defer_open_state);
+               watch_state = talloc(open_rec, struct defer_open_state);
                if (watch_state == NULL) {
                        exit_server("talloc failed");
                }