[PATCH] fix crash in winbindd in tevent_req_poll().
boyang
boyang at suse.de
Fri Apr 17 07:19:02 GMT 2009
hi, everyone:
Have a look at close_conns_after_fork, dom->conn.cli->fd = -1. That
is to say, it is just set to -1 and not freed. And this is the problem,
pipes might be there after fork! Then have a look at connection after
fork, cm_connect_sam() --> invalidate_cm_connection() , pipes might not
be null, but cli->fd == -1. Then look at the destructor
rpc_transport_np_state_destructor(), fd(-1) is added to fd_events list
and FD_SET will set it in fd sets, 0xFFFFFFFF is so large that FD_SET()
access invalid memory...
Patch is for master.
Please correct me if I am wrong. Thanks!
Best
Regards
BoYang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: crash-in-tevent_req_poll.diff
Type: text/x-patch
Size: 1398 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090417/6d10ba53/crash-in-tevent_req_poll.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: boyang.vcf
Type: text/x-vcard
Size: 187 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090417/6d10ba53/boyang.vcf
More information about the samba-technical
mailing list