svn commit: samba r6509 - in branches/SAMBA_4_0/source/torture/rap: .

tridge at samba.org tridge at samba.org
Thu Apr 28 07:30:38 GMT 2005 

Author: tridge
Date: 2005-04-28 07:30:36 +0000 (Thu, 28 Apr 2005)
New Revision: 6509

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=6509

Log:
fixed a crash bug found by a-jutley at microsoft.com in RPC-RAP test
(the call freed the memory it used to fill in the result structure)

Modified:
   branches/SAMBA_4_0/source/torture/rap/rap.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/rap/rap.c
===================================================================
--- branches/SAMBA_4_0/source/torture/rap/rap.c	2005-04-28 07:22:21 UTC (rev 6508)
+++ branches/SAMBA_4_0/source/torture/rap/rap.c	2005-04-28 07:30:36 UTC (rev 6509)
@@ -207,6 +207,7 @@
                         } while (0)
 
 static NTSTATUS smbcli_rap_netshareenum(struct smbcli_state *cli,
+					TALLOC_CTX *mem_ctx,
 					struct rap_NetShareEnum *r)
 {
 	struct rap_call *call;
@@ -241,8 +242,7 @@
 	NDR_OK(ndr_pull_uint16(call->ndr_pull_param, NDR_SCALARS, &r->out.count));
 	NDR_OK(ndr_pull_uint16(call->ndr_pull_param, NDR_SCALARS, &r->out.available));
 
-	r->out.info = talloc_array(call, union rap_shareenum_info,
-				     r->out.count);
+	r->out.info = talloc_array(mem_ctx, union rap_shareenum_info, r->out.count);
 
 	if (r->out.info == NULL) {
 		result = NT_STATUS_NO_MEMORY;
@@ -262,7 +262,7 @@
 					      (uint8_t *)&r->out.info[i].info1.pad, 1));
 			NDR_OK(ndr_pull_uint16(call->ndr_pull_data,
 					       NDR_SCALARS, &r->out.info[i].info1.type));
-			NDR_OK(rap_pull_string(call, call->ndr_pull_data,
+			NDR_OK(rap_pull_string(mem_ctx, call->ndr_pull_data,
 					       r->out.convert,
 					       &r->out.info[i].info1.comment));
 			break;
@@ -280,11 +280,12 @@
 {
 	struct rap_NetShareEnum r;
 	int i;
+	TALLOC_CTX *tmp_ctx = talloc_new(cli);
 
 	r.in.level = 1;
 	r.in.bufsize = 8192;
 
-	if (!NT_STATUS_IS_OK(smbcli_rap_netshareenum(cli, &r)))
+	if (!NT_STATUS_IS_OK(smbcli_rap_netshareenum(cli, tmp_ctx, &r)))
 		return False;
 
 	for (i=0; i<r.out.count; i++) {
@@ -293,10 +294,13 @@
 		       r.out.info[i].info1.comment);
 	}
 
+	talloc_free(tmp_ctx);
+
 	return True;
 }
 
 static NTSTATUS smbcli_rap_netserverenum2(struct smbcli_state *cli,
+					  TALLOC_CTX *mem_ctx,
 					  struct rap_NetServerEnum2 *r)
 {
 	struct rap_call *call;
@@ -335,8 +339,7 @@
 	NDR_OK(ndr_pull_uint16(call->ndr_pull_param, NDR_SCALARS, &r->out.count));
 	NDR_OK(ndr_pull_uint16(call->ndr_pull_param, NDR_SCALARS, &r->out.available));
 
-	r->out.info = talloc_array(call, union rap_server_info,
-				     r->out.count);
+	r->out.info = talloc_array(mem_ctx, union rap_server_info, r->out.count);
 
 	if (r->out.info == NULL) {
 		result = NT_STATUS_NO_MEMORY;
@@ -358,7 +361,7 @@
 					      &r->out.info[i].info1.version_minor, 1));
 			NDR_OK(ndr_pull_uint32(call->ndr_pull_data,
 					       NDR_SCALARS, &r->out.info[i].info1.servertype));
-			NDR_OK(rap_pull_string(call, call->ndr_pull_data,
+			NDR_OK(rap_pull_string(mem_ctx, call->ndr_pull_data,
 					       r->out.convert,
 					       &r->out.info[i].info1.comment));
 		}
@@ -375,6 +378,7 @@
 {
 	struct rap_NetServerEnum2 r;
 	int i;
+	TALLOC_CTX *tmp_ctx = talloc_new(cli);
 
 	r.in.level = 0;
 	r.in.bufsize = 8192;
@@ -382,7 +386,7 @@
 	r.in.servertype = 0x80000000;
 	r.in.domain = NULL;
 
-	if (!NT_STATUS_IS_OK(smbcli_rap_netserverenum2(cli, &r)))
+	if (!NT_STATUS_IS_OK(smbcli_rap_netserverenum2(cli, tmp_ctx, &r)))
 		return False;
 
 	for (i=0; i<r.out.count; i++) {
@@ -398,6 +402,8 @@
 		}
 	}
 
+	talloc_free(tmp_ctx);
+
 	return True;
 }

More information about the samba-cvs mailing list