patch: possible unclean memory free in smbd/open.c
Volker Lendecke
Volker.Lendecke at SerNet.DE
Sun Feb 26 14:17:40 GMT 2006
On Sun, Feb 26, 2006 at 04:30:09PM +0300, Aleksey Fedoseev wrote:
> I've found one strange line while analized open.c file in SAMBA3 branch:
>
> On line 1113 the pointer to locking structure is freed by
> talloc_destroy, but the pointer variable is not zeroed.
> Later, on line 1468 we can see ASSERT of the pointer equals NULL and
> programm execution with the freed pointer can reach the line.
>
> I guess, talloc_destroy should be replaced with TALLOC_FREE. Patch attached.
That one is (VERY likely) ok because we touch the
talloc_destroy() you found only if the file existed before.
Otherwise it would not have been possible to end up in the
delay queue. So in line 1318 we assign it again anyway.
Checking in nevertheless, better directly segfault instead
of referencing stale memory.
Thanks!
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060226/8a925b2c/attachment.bin
More information about the samba-technical
mailing list