double free in close_internal_rpc_pipe_hnd

[James Peach]

Hi Jerry,

FYI, I just came across a crash in top-of-tree. The corresponding
talloc_free in src_pipe_hnd.c was introduced in r13316 ... I'm not sure
whether this will be an issue for 3.0.21c.

(dbx) where
   2 abort(0x459465, 0x6, 0x86518, 0x0, 0x104f9168, 0xb8, 0x10519278, 0x1033ed0c) ["/xlv46/6.5.27m/work/irix/lib/libc/libc_n32_M4/gen/abort.c":44, 0xfa6f01c]
   3 talloc_chunk_from_ptr(0x10511168, 0x6, 0x86518, 0x0, 0x104f9168, 0xb8, 0x10519278, 0x1033ed0c) ["/home/jpeach/samba/svn/branches/SAMBA_3_0/source/lib/talloc.c":119, 0x1033ed04]
   4 talloc_free(0x10511168, 0x6, 0x86518, 0x0, 0x104f9168, 0xb8, 0x10519278, 0x1033ed0c) ["/home/jpeach/samba/svn/branches/SAMBA_3_0/source/lib/talloc.c":536, 0x1033fd84]
>  5 close_internal_rpc_pipe_hnd(0x10565cf0, 0x6, 0x86518, 0x0, 0x104f9168, 0xb8, 0x10519278, 0x1033ed0c) ["/home/jpeach/samba/svn/branches/SAMBA_3_0/source/rpc_server/srv_pipe_hnd.c":1226, 0x1021d9b0]
   6 close_rpc_pipe_hnd(0x1051be48, 0x6, 0x86518, 0x0, 0x104f9168, 0xb8, 0x10519278, 0x1033ed0c) ["/home/jpeach/samba/svn/branches/SAMBA_3_0/source/rpc_server/srv_pipe_hnd.c":1160, 0x1021d530]
   7 reply_pipe_close(0x10562568, 0x1051dc90, 0x1053e0e0, 0x0, 0x104f9168, 0xb8, 0x10519278, 0x1033ed0c) ["/home/jpeach/samba/svn/branches/SAMBA_3_0/source/smbd/pipes.c":274, 0x100a081c]
   8 reply_close(0x10562568, 0x1051dc90, 0x1053e0e0, 0x2d, 0x104f9168, 0xb8, 0x10519278, 0x1033ed0c) ["/home/jpeach/samba/svn/branches/SAMBA_3_0/source/smbd/reply.c":3272, 0x100b110c]
   9 switch_message(0x4, 0x1051dc90, 0x1053e0e0, 0x2d, 0x104f9168, 0xb8, 0x10519278, 0x1033ed0c) ["/home/jpeach/samba/svn/branches/SAMBA_3_0/source/smbd/process.c":979, 0x10113e0c]
   10 construct_reply(0x1051dc90, 0x1053e0e0, 0x2d, 0x20000, 0x104f9168, 0xb8, 0x10519278, 0x1033ed0c) ["/home/jpeach/samba/svn/branches/SAMBA_3_0/source/smbd/process.c":1009, 0x10113f34]
   11 process_smb(0x1051dc90, 0x1053e0e0, 0x86518, 0x0, 0x104f9168, 0xb8, 0x10519278, 0x1033ed0c) ["/home/jpeach/samba/svn/branches/SAMBA_3_0/source/smbd/process.c":1109, 0x101145f4]
   12 smbd_process(0x459465, 0x6, 0x86518, 0x0, 0x104f9168, 0xb8, 0x10519278, 0x1033ed0c) ["/home/jpeach/samba/svn/branches/SAMBA_3_0/source/smbd/process.c":1661, 0x101162a8]

The problem appears to be a double-free detected by talloc_free. The
attached diff fixed it for me, but I don't know this code, so I'm not
confident that the fix is correct ...

-- 
James Peach | jpeach at sgi.com | SGI Australian Software Group
I don't speak for SGI.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: reply-close-double-free.diff
Type: text/x-diff
Size: 448 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060220/f5907ead/reply-close-double-free.bin