smbd: Fix crash bug in notify_deferred_opens

The "deferred" array only holds enough entries for non-stale pids. We
should skip those as well when filling that array.

This bug came in with 19b6671. No issue in master and 4.1, we don't have
deferred entries anymore there.

Part of a fix for bug #10138 - smbd doesn't always clean up share modes after
hard crash.

diff --git a/source3/smbd/close.c b/source3/smbd/close.c
index e5b1fb78935fa879f467dfaf2286b3bc8e44a317..4adcc6116dae4c9bc2acfdffa6ca7d9350430c0e 100644 (file)
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -204,10 +204,14 @@ static void notify_deferred_opens(struct smbd_server_connection *sconn,
        num_deferred = 0;
        for (i=0; i<lck->data->num_share_modes; i++) {
                struct share_mode_entry *e = &lck->data->share_modes[i];
-               if (is_deferred_open_entry(e)) {
-                       deferred[num_deferred] = *e;
-                       num_deferred += 1;
+               if (!is_deferred_open_entry(e)) {
+                       continue;
+               }
+               if (share_mode_stale_pid(lck->data, i)) {
+                       continue;
                }
+               deferred[num_deferred] = *e;
+               num_deferred += 1;
        }
 
        /*