[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Mon Sep 10 15:35:04 MDT 2012
The branch, master has been updated
via ba5f557 Fix talloc memory heirarchy bug. If there's an SMB2 sessionsetup in flight when we're shut down, we end up freeing the struct smbXsrv_session *session pointer twice.
via cfeac09 Fix bug #9147 - winbind can't fetch user or group info from AD via LDAP
from 56d97d1 wafbuild: add defines for linux quota and sysquota support
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ba5f557b5db9fbc9a59d742d2612b397b5525266
Author: Jeremy Allison <jra at samba.org>
Date: Thu Sep 6 17:14:52 2012 -0700
Fix talloc memory heirarchy bug. If there's an SMB2 sessionsetup in flight when we're shut down, we end up freeing the struct smbXsrv_session *session pointer twice.
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Sep 10 23:34:06 CEST 2012 on sn-devel-104
commit cfeac09fc0796ecf77593244e9e72c1521fd251c
Author: Jeremy Allison <jra at samba.org>
Date: Mon Sep 10 09:30:49 2012 -0700
Fix bug #9147 - winbind can't fetch user or group info from AD via LDAP
Don't use "isprint" in ldb_binary_encode(). This is locale specific.
Restrict to ASCII only, hex encode everything else.
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/common/ldb_parse.c | 6 ++++--
source3/smbd/smb2_sesssetup.c | 41 ++++++++++++++++++++++++++++++++++++-----
2 files changed, 40 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/common/ldb_parse.c b/lib/ldb/common/ldb_parse.c
index cfa2959..f47ef43 100644
--- a/lib/ldb/common/ldb_parse.c
+++ b/lib/ldb/common/ldb_parse.c
@@ -124,7 +124,8 @@ char *ldb_binary_encode(TALLOC_CTX *mem_ctx, struct ldb_val val)
unsigned char *buf = val.data;
for (i=0;i<val.length;i++) {
- if (!isprint(buf[i]) || strchr(" *()\\&|!\"", buf[i])) {
+ unsigned int cval = buf[i];
+ if (cval < 0x20 || cval > 0x7E || strchr(" *()\\&|!\"", buf[i])) {
len += 2;
}
}
@@ -133,7 +134,8 @@ char *ldb_binary_encode(TALLOC_CTX *mem_ctx, struct ldb_val val)
len = 0;
for (i=0;i<val.length;i++) {
- if (!isprint(buf[i]) || strchr(" *()\\&|!\"", buf[i])) {
+ unsigned int cval = buf[i];
+ if (cval < 0x20 || cval > 0x7E || strchr(" *()\\&|!\"", buf[i])) {
snprintf(ret+len, 4, "\\%02X", buf[i]);
len += 3;
} else {
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index a03abf7..61b5519 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -439,8 +439,16 @@ struct smbd_smb2_session_setup_state {
uint16_t out_session_flags;
DATA_BLOB out_security_buffer;
uint64_t out_session_id;
+ /* The following pointer is owned by state->session. */
+ struct smbd_smb2_session_setup_state **pp_self_ref;
};
+static int pp_self_ref_destructor(struct smbd_smb2_session_setup_state **pp_state)
+{
+ (*pp_state)->session = NULL;
+ return 0;
+}
+
static int smbd_smb2_session_setup_state_destructor(struct smbd_smb2_session_setup_state *state)
{
/*
@@ -454,6 +462,24 @@ static int smbd_smb2_session_setup_state_destructor(struct smbd_smb2_session_set
static void smbd_smb2_session_setup_gensec_done(struct tevent_req *subreq);
static void smbd_smb2_session_setup_previous_done(struct tevent_req *subreq);
+/************************************************************************
+ We have to tag the state->session pointer with memory talloc'ed
+ on it to ensure it gets NULL'ed out if the underlying struct smbXsrv_session
+ is deleted by shutdown whilst this request is in flight.
+************************************************************************/
+
+static NTSTATUS tag_state_session_ptr(struct smbd_smb2_session_setup_state *state)
+{
+ state->pp_self_ref = talloc_zero(state->session,
+ struct smbd_smb2_session_setup_state *);
+ if (state->pp_self_ref == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ *state->pp_self_ref = state;
+ talloc_set_destructor(state->pp_self_ref, pp_self_ref_destructor);
+ return NT_STATUS_OK;
+}
+
static struct tevent_req *smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct smbd_smb2_request *smb2req,
@@ -522,6 +548,11 @@ static struct tevent_req *smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
}
}
+ status = tag_state_session_ptr(state);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
if (state->session->gensec == NULL) {
status = auth_generic_prepare(state->session,
state->session->connection->remote_address,
@@ -577,7 +608,7 @@ static void smbd_smb2_session_setup_gensec_done(struct tevent_req *subreq)
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
state->out_session_id = state->session->global->session_wire_id;
/* we want to keep the session */
- state->session = NULL;
+ TALLOC_FREE(state->pp_self_ref);
tevent_req_nterror(req, status);
return;
}
@@ -617,7 +648,7 @@ static void smbd_smb2_session_setup_gensec_done(struct tevent_req *subreq)
return;
}
/* we want to keep the session */
- state->session = NULL;
+ TALLOC_FREE(state->pp_self_ref);
tevent_req_done(req);
return;
}
@@ -633,7 +664,7 @@ static void smbd_smb2_session_setup_gensec_done(struct tevent_req *subreq)
}
/* we want to keep the session */
- state->session = NULL;
+ TALLOC_FREE(state->pp_self_ref);
tevent_req_done(req);
return;
}
@@ -664,7 +695,7 @@ static void smbd_smb2_session_setup_previous_done(struct tevent_req *subreq)
return;
}
/* we want to keep the session */
- state->session = NULL;
+ TALLOC_FREE(state->pp_self_ref);
tevent_req_done(req);
return;
}
@@ -680,7 +711,7 @@ static void smbd_smb2_session_setup_previous_done(struct tevent_req *subreq)
}
/* we want to keep the session */
- state->session = NULL;
+ TALLOC_FREE(state->pp_self_ref);
tevent_req_done(req);
return;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list