svn commit: samba r20186 - in branches: SAMBA_3_0/source/nsswitch SAMBA_3_0_24/source/nsswitch

[gd at samba.org]

Author: gd
Date: 2006-12-15 16:45:39 +0000 (Fri, 15 Dec 2006)
New Revision: 20186

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20186

Log:
Fix winbind crash bug in WINBIND_GETGROUPS.

response_extra_sent() expects to free a malloced
extra_data.data while the add_XX_to_array functions all return talloced
memory now. Jeremy, please check.

Guenther

Modified:
   branches/SAMBA_3_0/source/nsswitch/winbindd_group.c
   branches/SAMBA_3_0_24/source/nsswitch/winbindd_group.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_group.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_group.c	2006-12-15 13:12:18 UTC (rev 20185)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_group.c	2006-12-15 16:45:39 UTC (rev 20186)
@@ -1217,7 +1217,7 @@
 		(struct getgroups_state *)private_data;
 
 	if (success) {
-		if (!add_gid_to_array_unique(NULL, gid,
+		if (!add_gid_to_array_unique(s->state->mem_ctx, gid,
 					&s->token_gids,
 					&s->num_token_gids)) {
 			return;
@@ -1239,7 +1239,8 @@
 	}
 
 	s->state->response.data.num_entries = s->num_token_gids;
-	s->state->response.extra_data.data = s->token_gids;
+	/* s->token_gids are talloced */
+	s->state->response.extra_data.data = smb_xmemdup(s->token_gids, s->num_token_gids * sizeof(gid_t));
 	s->state->response.length += s->num_token_gids * sizeof(gid_t);
 	request_ok(s->state);
 }

Modified: branches/SAMBA_3_0_24/source/nsswitch/winbindd_group.c
===================================================================
--- branches/SAMBA_3_0_24/source/nsswitch/winbindd_group.c	2006-12-15 13:12:18 UTC (rev 20185)
+++ branches/SAMBA_3_0_24/source/nsswitch/winbindd_group.c	2006-12-15 16:45:39 UTC (rev 20186)
@@ -1231,7 +1231,7 @@
 		(struct getgroups_state *)private_data;
 
 	if (success) {
-		if (!add_gid_to_array_unique(NULL, gid,
+		if (!add_gid_to_array_unique(s->state->mem_ctx, gid,
 					&s->token_gids,
 					&s->num_token_gids)) {
 			return;
@@ -1253,7 +1253,8 @@
 	}
 
 	s->state->response.data.num_entries = s->num_token_gids;
-	s->state->response.extra_data.data = s->token_gids;
+	/* s->token_gids are talloced */
+	s->state->response.extra_data.data = smb_xmemdup(s->token_gids, s->num_token_gids * sizeof(gid_t));
 	s->state->response.length += s->num_token_gids * sizeof(gid_t);
 	request_ok(s->state);
 }