[SCM] Samba Shared Repository - branch v3-6-test updated

Stefan Metzmacher metze at samba.org
Wed Jan 5 03:54:43 MST 2011 

The branch, v3-6-test has been updated
       via  e47ced6 talloc: fixed a use after free error
       via  1d08998 talloc: added a test for the use after free Rusty found (cherry picked from commit 66db49e35f87f0e0a9d82cfa661d2cc604758406)
       via  59f1fbc talloc: Clarify error message on access after free. (cherry picked from commit 733bc1c1ca31df2b61d86f5ee8783ee9c3867faa)
      from  2bd7650 s3-rpcecho: Only register rpcecho in the developer build.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -----------------------------------------------------------------
commit e47ced633c905756d2651ad41d682e217765f3fc
Author: Andrew Tridgell <tridge at samba.org>
Date:   Wed Jan 5 16:33:13 2011 +1100

    talloc: fixed a use after free error
    
    this is the minimal fix for the problem Rusty found. I previously
    thought that the best fix would be to change tc->parent to be valid
    for all pointers, but that is expensive for realloc with large numbers
    of child pointers, which is much more commmon than I expected it to
    be.
    
    Autobuild-User: Andrew Tridgell <tridge at samba.org>
    Autobuild-Date: Wed Jan  5 07:22:27 CET 2011 on sn-devel-104
    (cherry picked from commit 6f51a1f45bf4de062cce7a562477e8140630a53d)
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 1d08998db859422e5995ed3e7b74ca5402057775
Author: Andrew Tridgell <tridge at samba.org>
Date:   Wed Dec 22 15:29:37 2010 +1100

    talloc: added a test for the use after free Rusty found
    (cherry picked from commit 66db49e35f87f0e0a9d82cfa661d2cc604758406)
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 59f1fbc6b99bf3e3a9ea9d61aa35a35c82d93f96
Author: Jelmer Vernooij <jelmer at samba.org>
Date:   Wed Jan 5 01:01:28 2011 +0100

    talloc: Clarify error message on access after free.
    (cherry picked from commit 733bc1c1ca31df2b61d86f5ee8783ee9c3867faa)
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 lib/talloc/talloc.c    |   25 ++++++++++++++++++++-----
 lib/talloc/testsuite.c |   17 +++++++++++++++++
 2 files changed, 37 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index ec67a46..c616f34 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -224,9 +224,9 @@ static void talloc_abort_magic(unsigned magic)
 	talloc_abort("Bad talloc magic value - wrong talloc version used/mixed");
 }
 
-static void talloc_abort_double_free(void)
+static void talloc_abort_access_after_free(void)
 {
-	talloc_abort("Bad talloc magic value - double free");
+	talloc_abort("Bad talloc magic value - access after free");
 }
 
 static void talloc_abort_unknown_value(void)
@@ -246,8 +246,8 @@ static inline struct talloc_chunk *talloc_chunk_from_ptr(const void *ptr)
 		}
 
 		if (tc->flags & TALLOC_FLAG_FREE) {
-			talloc_log("talloc: double free error - first free may be at %s\n", tc->name);
-			talloc_abort_double_free();
+			talloc_log("talloc: access after free error - first free may be at %s\n", tc->name);
+			talloc_abort_access_after_free();
 			return NULL;
 		} else {
 			talloc_abort_unknown_value();
@@ -645,13 +645,28 @@ static inline int _talloc_free_internal(void *ptr, const char *location)
 		   final choice is the null context. */
 		void *child = TC_PTR_FROM_CHUNK(tc->child);
 		const void *new_parent = null_context;
+		struct talloc_chunk *old_parent = NULL;
 		if (unlikely(tc->child->refs)) {
 			struct talloc_chunk *p = talloc_parent_chunk(tc->child->refs);
 			if (p) new_parent = TC_PTR_FROM_CHUNK(p);
 		}
+		/* finding the parent here is potentially quite
+		   expensive, but the alternative, which is to change
+		   talloc to always have a valid tc->parent pointer,
+		   makes realloc more expensive where there are a
+		   large number of children.
+
+		   The reason we need the parent pointer here is that
+		   if _talloc_free_internal() fails due to references
+		   or a failing destructor we need to re-parent, but
+		   the free call can invalidate the prev pointer.
+		*/
+		if (new_parent == null_context && (tc->child->refs || tc->child->destructor)) {
+			old_parent = talloc_parent_chunk(ptr);
+		}
 		if (unlikely(_talloc_free_internal(child, location) == -1)) {
 			if (new_parent == null_context) {
-				struct talloc_chunk *p = talloc_parent_chunk(ptr);
+				struct talloc_chunk *p = old_parent;
 				if (p) new_parent = TC_PTR_FROM_CHUNK(p);
 			}
 			_talloc_steal_internal(new_parent, child);
diff --git a/lib/talloc/testsuite.c b/lib/talloc/testsuite.c
index 0026931..ee6256b 100644
--- a/lib/talloc/testsuite.c
+++ b/lib/talloc/testsuite.c
@@ -1167,6 +1167,21 @@ static bool test_free_ref_null_context(void)
 	return true;
 }
 
+static bool test_rusty(void)
+{
+	void *root;
+	const char *p1;
+
+	talloc_enable_null_tracking();
+	root = talloc_new(NULL);
+	p1 = talloc_strdup(root, "foo");
+	talloc_increase_ref_count(p1);
+	talloc_report_full(root, stdout);
+	talloc_free(root);
+	return true;
+}
+
+
 static void test_reset(void)
 {
 	talloc_set_log_fn(test_log_stdout);
@@ -1221,6 +1236,8 @@ bool torture_local_talloc(struct torture_context *tctx)
 	ret &= test_pool();
 	test_reset();
 	ret &= test_free_ref_null_context();
+	test_reset();
+	ret &= test_rusty();
 
 	if (ret) {
 		test_reset();


-- 
Samba Shared Repository

More information about the samba-cvs mailing list