[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Thu Aug 4 04:32:02 MDT 2011 

The branch, master has been updated
       via  68e7b93 s4-librpc: Fix double free.
      from  fff3f29 s4-ldb: two DNs only match if they have the same deletion status

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 68e7b9307adabd9e3e12e95e0995051d366d8cf5
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Aug 3 23:44:45 2011 +0200

    s4-librpc: Fix double free.
    
    Autobuild-User: Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date: Thu Aug  4 12:31:18 CEST 2011 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source4/librpc/rpc/dcerpc_smb.c  |   11 ++++++-----
 source4/librpc/rpc/dcerpc_smb2.c |   13 +++++++------
 2 files changed, 13 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c
index 395e067..c231295 100644
--- a/source4/librpc/rpc/dcerpc_smb.c
+++ b/source4/librpc/rpc/dcerpc_smb.c
@@ -79,6 +79,7 @@ struct smb_read_state {
 */
 static void smb_read_callback(struct smbcli_request *req)
 {
+	struct dcecli_connection *c;
 	struct smb_private *smb;
 	struct smb_read_state *state;
 	union smb_read *io;
@@ -88,11 +89,12 @@ static void smb_read_callback(struct smbcli_request *req)
 	state = talloc_get_type(req->async.private_data, struct smb_read_state);
 	smb = talloc_get_type(state->c->transport.private_data, struct smb_private);
 	io = state->io;
+	c = state->c;
 
 	status = smb_raw_read_recv(state->req, io);
 	if (NT_STATUS_IS_ERR(status)) {
-		pipe_dead(state->c, status);
 		talloc_free(state);
+		pipe_dead(c, status);
 		return;
 	}
 
@@ -101,8 +103,8 @@ static void smb_read_callback(struct smbcli_request *req)
 	if (state->received < 16) {
 		DEBUG(0,("dcerpc_smb: short packet (length %d) in read callback!\n",
 			 (int)state->received));
-		pipe_dead(state->c, NT_STATUS_INFO_LENGTH_MISMATCH);
 		talloc_free(state);
+		pipe_dead(c, NT_STATUS_INFO_LENGTH_MISMATCH);
 		return;
 	}
 
@@ -110,7 +112,6 @@ static void smb_read_callback(struct smbcli_request *req)
 
 	if (frag_length <= state->received) {
 		DATA_BLOB data = state->data;
-		struct dcecli_connection *c = state->c;
 		data.length = state->received;
 		talloc_steal(state->c, data.data);
 		talloc_free(state);
@@ -128,8 +129,8 @@ static void smb_read_callback(struct smbcli_request *req)
 
 	state->req = smb_raw_read_send(smb->tree, io);
 	if (state->req == NULL) {
-		pipe_dead(state->c, NT_STATUS_NO_MEMORY);
 		talloc_free(state);
+		pipe_dead(c, NT_STATUS_NO_MEMORY);
 		return;
 	}
 
@@ -257,7 +258,7 @@ static NTSTATUS smb_send_trans_request(struct dcecli_connection *c, DATA_BLOB *b
 	struct smb_trans_state *state;
 	uint16_t max_data;
 
-	state = talloc(smb, struct smb_trans_state);
+	state = talloc(c, struct smb_trans_state);
 	if (state == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
diff --git a/source4/librpc/rpc/dcerpc_smb2.c b/source4/librpc/rpc/dcerpc_smb2.c
index 50aed8c..59ee7a8 100644
--- a/source4/librpc/rpc/dcerpc_smb2.c
+++ b/source4/librpc/rpc/dcerpc_smb2.c
@@ -78,6 +78,7 @@ struct smb2_read_state {
 */
 static void smb2_read_callback(struct smb2_request *req)
 {
+	struct dcecli_connection *c;
 	struct smb2_private *smb;
 	struct smb2_read_state *state;
 	struct smb2_read io;
@@ -86,26 +87,27 @@ static void smb2_read_callback(struct smb2_request *req)
 
 	state = talloc_get_type(req->async.private_data, struct smb2_read_state);
 	smb = talloc_get_type(state->c->transport.private_data, struct smb2_private);
+	c = state->c;
 
 	status = smb2_read_recv(req, state, &io);
 	if (NT_STATUS_IS_ERR(status)) {
-		pipe_dead(state->c, status);
 		talloc_free(state);
+		pipe_dead(c, status);
 		return;
 	}
 
 	if (!data_blob_append(state, &state->data, 
 				  io.out.data.data, io.out.data.length)) {
-		pipe_dead(state->c, NT_STATUS_NO_MEMORY);
 		talloc_free(state);
+		pipe_dead(c, NT_STATUS_NO_MEMORY);
 		return;
 	}
 
 	if (state->data.length < 16) {
 		DEBUG(0,("dcerpc_smb2: short packet (length %d) in read callback!\n",
 			 (int)state->data.length));
-		pipe_dead(state->c, NT_STATUS_INFO_LENGTH_MISMATCH);
 		talloc_free(state);
+		pipe_dead(c, NT_STATUS_INFO_LENGTH_MISMATCH);
 		return;
 	}
 
@@ -113,7 +115,6 @@ static void smb2_read_callback(struct smb2_request *req)
 
 	if (frag_length <= state->data.length) {
 		DATA_BLOB data = state->data;
-		struct dcecli_connection *c = state->c;
 		talloc_steal(c, data.data);
 		talloc_free(state);
 		c->transport.recv_data(c, &data, NT_STATUS_OK);
@@ -131,8 +132,8 @@ static void smb2_read_callback(struct smb2_request *req)
 	
 	req = smb2_read_send(smb->tree, &io);
 	if (req == NULL) {
-		pipe_dead(state->c, NT_STATUS_NO_MEMORY);
 		talloc_free(state);
+		pipe_dead(c, NT_STATUS_NO_MEMORY);
 		return;
 	}
 
@@ -152,7 +153,7 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO
 	struct smb2_read_state *state;
 	struct smb2_request *req;
 
-	state = talloc(smb, struct smb2_read_state);
+	state = talloc(c, struct smb2_read_state);
 	if (state == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}


-- 
Samba Shared Repository

More information about the samba-cvs mailing list