From d921ee381aa46e4385524f0c31ca5ad606aa920a Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Tue, 17 Jan 2006 21:43:25 +0000
Subject: [PATCH] windows-truncate-after-lock-check-20060116

In smb_ReceiveNTCreateX the lock check, cm_CheckNTOpen(), must take place
before we allow the file to be truncated.
---
 src/WINNT/afsd/smb3.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/src/WINNT/afsd/smb3.c b/src/WINNT/afsd/smb3.c
index e60850a68..003c3ef8e 100644
--- a/src/WINNT/afsd/smb3.c
+++ b/src/WINNT/afsd/smb3.c
@@ -5666,7 +5666,18 @@ long smb_ReceiveNTCreateX(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *outp)
      * scp is NULL.
      */
     if (code == 0 && !treeCreate) {
-        if (createDisp == FILE_CREATE) {
+        code = cm_CheckNTOpen(scp, desiredAccess, createDisp, userp, &req);
+        if (code) {
+            if (dscp)
+                cm_ReleaseSCache(dscp);
+            if (scp)
+                cm_ReleaseSCache(scp);
+            cm_ReleaseUser(userp);
+            free(realPathp);
+            return code;
+        }
+
+	if (createDisp == FILE_CREATE) {
             /* oops, file shouldn't be there */
             if (dscp)
                 cm_ReleaseSCache(dscp);
@@ -5706,16 +5717,6 @@ long smb_ReceiveNTCreateX(smb_vc_t *vcp, smb_packet_t *inp, smb_packet_t *outp)
         else 
             openAction = 1;	/* found existing file */
 
-        code = cm_CheckNTOpen(scp, desiredAccess, createDisp, userp, &req);
-        if (code) {
-            if (dscp)
-                cm_ReleaseSCache(dscp);
-            if (scp)
-                cm_ReleaseSCache(scp);
-            cm_ReleaseUser(userp);
-            free(realPathp);
-            return code;
-        }
     } else if (createDisp == FILE_OPEN || createDisp == FILE_OVERWRITE) {
         /* don't create if not found */
         if (dscp)
-- 
2.39.5