DEVEL15-windows-checkVCs-20081015

LICENSE MIT
FIXES 116641

Do not drop references to 'nextp' until we are done with the object.
Dropping the last reference can result in the object being destroyed.

(cherry picked from commit 1115e29dacab98ed29ec603edfdaa8f697507daa)

diff --git a/src/WINNT/afsd/smb.c b/src/WINNT/afsd/smb.c
index d77ca29d1d7b83d8a5f96342f6c04167bfffa08d..0c430dcd17943a5cb3442c971f4e7ce70e2affe0 100644 (file)
--- a/src/WINNT/afsd/smb.c
+++ b/src/WINNT/afsd/smb.c
@@ -3752,14 +3752,24 @@ void smb_CheckVCs(void)
            osi_panic("afsd: invalid smb_vc_t detected in smb_allVCsp", 
                       __FILE__, __LINE__);
 
+        /* on the first pass hold 'vcp' which was not held as 'nextp' */
+        if (vcp != nextp)
+            smb_HoldVCNoLock(vcp);
+
+        /* 
+         * obtain a reference to 'nextp' now because we drop the
+         * smb_rctLock later and the list contents could change 
+         * or 'vcp' could be destroyed when released.
+         */
        nextp = vcp->nextp;
+       if (nextp)
+           smb_HoldVCNoLock(nextp);
 
-       if (vcp->flags & SMB_VCFLAG_ALREADYDEAD)
+       if (vcp->flags & SMB_VCFLAG_ALREADYDEAD) {
+            smb_ReleaseVCNoLock(vcp);
            continue;
+        }
 
-       smb_HoldVCNoLock(vcp);
-       if (nextp)
-           smb_HoldVCNoLock(nextp);
        smb_FormatResponsePacket(vcp, NULL, outp);
         smbp = (smb_t *)outp;
        outp->inCom = smbp->com = 0x2b /* Echo */;
@@ -3778,8 +3788,6 @@ void smb_CheckVCs(void)
 
        lock_ObtainWrite(&smb_rctLock);
        smb_ReleaseVCNoLock(vcp);
-       if (nextp)
-           smb_ReleaseVCNoLock(nextp);
     }
     lock_ReleaseWrite(&smb_rctLock);
     smb_FreePacket(outp);