From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Wed, 15 Oct 2008 14:50:51 +0000 (+0000)
Subject: windows-checkVCs-20081015
X-Git-Tag: openafs-devel-1_5_61~756
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=1115e29dacab98ed29ec603edfdaa8f697507daa;p=packages%2Fo%2Fopenafs.git

windows-checkVCs-20081015

LICENSE MIT
FIXES 116641

Do not drop references to 'nextp' until we are done with the object.
Dropping the last reference can result in the object being destroyed.
---

diff --git a/src/WINNT/afsd/smb.c b/src/WINNT/afsd/smb.c
index ae083f9f6..7e215ad1d 100644
--- a/src/WINNT/afsd/smb.c
+++ b/src/WINNT/afsd/smb.c
@@ -3752,14 +3752,24 @@ void smb_CheckVCs(void)
 	    osi_panic("afsd: invalid smb_vc_t detected in smb_allVCsp", 
 		       __FILE__, __LINE__);
 
+        /* on the first pass hold 'vcp' which was not held as 'nextp' */
+        if (vcp != nextp)
+            smb_HoldVCNoLock(vcp);
+
+        /* 
+         * obtain a reference to 'nextp' now because we drop the
+         * smb_rctLock later and the list contents could change 
+         * or 'vcp' could be destroyed when released.
+         */
 	nextp = vcp->nextp;
+	if (nextp)
+	    smb_HoldVCNoLock(nextp);
 
-	if (vcp->flags & SMB_VCFLAG_ALREADYDEAD)
+	if (vcp->flags & SMB_VCFLAG_ALREADYDEAD) {
+            smb_ReleaseVCNoLock(vcp);
 	    continue;
+        }
 
-	smb_HoldVCNoLock(vcp);
-	if (nextp)
-	    smb_HoldVCNoLock(nextp);
 	smb_FormatResponsePacket(vcp, NULL, outp);
         smbp = (smb_t *)outp;
 	outp->inCom = smbp->com = 0x2b /* Echo */;
@@ -3778,8 +3788,6 @@ void smb_CheckVCs(void)
 
 	lock_ObtainWrite(&smb_rctLock);
 	smb_ReleaseVCNoLock(vcp);
-	if (nextp)
-	    smb_ReleaseVCNoLock(nextp);
     }
     lock_ReleaseWrite(&smb_rctLock);
     smb_FreePacket(outp);