svn commit: samba r20160 - in branches: SAMBA_3_0/source/lib
SAMBA_3_0_24/source/lib
jra at samba.org
jra at samba.org
Wed Dec 13 22:19:10 GMT 2006
Author: jra
Date: 2006-12-13 22:19:10 +0000 (Wed, 13 Dec 2006)
New Revision: 20160
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20160
Log:
Fix long-standing (ie. from initial code I think) bug
in tdb message processing. If we're inside a dispatch
function and we delete our own handler we'd walk onto
the next pointer from a deleted memory block. Fixes
crash bug in winbindd (and goodness knows where else).
Jeremy.
Modified:
branches/SAMBA_3_0/source/lib/messages.c
branches/SAMBA_3_0_24/source/lib/messages.c
Changeset:
Modified: branches/SAMBA_3_0/source/lib/messages.c
===================================================================
--- branches/SAMBA_3_0/source/lib/messages.c 2006-12-13 21:28:45 UTC (rev 20159)
+++ branches/SAMBA_3_0/source/lib/messages.c 2006-12-13 22:19:10 UTC (rev 20160)
@@ -471,7 +471,6 @@
char *buf;
char *msgs_buf;
size_t len, total_len;
- struct dispatch_fns *dfn;
int n_handled;
if (!received_signal)
@@ -485,11 +484,15 @@
return;
for (buf = msgs_buf; message_recv(msgs_buf, total_len, &msg_type, &src, &buf, &len); buf += len) {
+ struct dispatch_fns *dfn, *next;
+
DEBUG(10,("message_dispatch: received msg_type=%d "
"src_pid=%u\n", msg_type,
(unsigned int) procid_to_pid(&src)));
+
n_handled = 0;
- for (dfn = dispatch_fns; dfn; dfn = dfn->next) {
+ for (dfn = dispatch_fns; dfn; dfn = next) {
+ next = dfn->next;
if (dfn->msg_type == msg_type) {
DEBUG(10,("message_dispatch: processing message of type %d.\n", msg_type));
dfn->fn(msg_type, src, len ? (void *)buf : NULL, len);
Modified: branches/SAMBA_3_0_24/source/lib/messages.c
===================================================================
--- branches/SAMBA_3_0_24/source/lib/messages.c 2006-12-13 21:28:45 UTC (rev 20159)
+++ branches/SAMBA_3_0_24/source/lib/messages.c 2006-12-13 22:19:10 UTC (rev 20160)
@@ -471,7 +471,6 @@
char *buf;
char *msgs_buf;
size_t len, total_len;
- struct dispatch_fns *dfn;
int n_handled;
if (!received_signal)
@@ -485,11 +484,15 @@
return;
for (buf = msgs_buf; message_recv(msgs_buf, total_len, &msg_type, &src, &buf, &len); buf += len) {
+ struct dispatch_fns *dfn, *next;
+
DEBUG(10,("message_dispatch: received msg_type=%d "
"src_pid=%u\n", msg_type,
(unsigned int) procid_to_pid(&src)));
+
n_handled = 0;
- for (dfn = dispatch_fns; dfn; dfn = dfn->next) {
+ for (dfn = dispatch_fns; dfn; dfn = next) {
+ next = dfn->next;
if (dfn->msg_type == msg_type) {
DEBUG(10,("message_dispatch: processing message of type %d.\n", msg_type));
dfn->fn(msg_type, src, len ? (void *)buf : NULL, len);
More information about the samba-cvs
mailing list