s3-dcerpc: Break memory hierarchy for shared structure

Sat Jul 17 11:21:10 MDT 2010

On Sat, 2010-07-17 at 11:57 +0200, Andreas Schneider wrote:
> On Thursday 15 July 2010 09:07:32 Andrew Bartlett wrote:
> > On Wed, 2010-07-14 at 08:04 -0500, Andreas Schneider wrote:
> > > The branch, master has been updated
> > > 
> > >        via  23ad691... s3-dcerpc: Break memory hierarchy for shared
> > >        structure
> > >       
> > >       from  d35e900... s4: Added acl search tests for anonymous
> > >       connection.
> > > 
> > > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> > > 
> > > 
> > > - Log -----------------------------------------------------------------
> > > commit 23ad6919a1e5f16d02e22adcf36ea7f039a9eeea
> > > Author: Simo Sorce <idra at samba.org>
> > > Date:   Wed Jul 14 08:57:47 2010 -0400
> > > 
> > >     s3-dcerpc: Break memory hierarchy for shared structure
> > >     
> > >     Handles are shared among multiple pipes_struct. We cannot allocate
> > >     them on any specific pipes_struct or it will vanish for all others
> > >     as soon as that pipes_struct is freed, leaving back dangling
> > >     pointers.
> > >     
> > >     Signed-off-by: Andreas Schneider <asn at samba.org>
> > > 
> > > -----------------------------------------------------------------------
> > > 
> > > Summary of changes:
> > >  source3/rpc_server/rpc_handles.c |    2 +-
> > >  1 files changed, 1 insertions(+), 1 deletions(-)
> > > 
> > > Changeset truncated at 500 lines:
> > > 
> > > diff --git a/source3/rpc_server/rpc_handles.c
> > > b/source3/rpc_server/rpc_handles.c index bfdc7a8..e073fe4 100644
> > > --- a/source3/rpc_server/rpc_handles.c
> > > +++ b/source3/rpc_server/rpc_handles.c
> > > @@ -103,7 +103,7 @@ bool init_pipe_handles(pipes_struct *p, const struct
> > > ndr_syntax_id *syntax)
> > > 
> > >  		/*
> > >  		
> > >  		 * First open, we have to create the handle list
> > >  		 */
> > > 
> > > -		hl = talloc_zero(p, struct handle_list);
> > > +		hl = talloc_zero(NULL, struct handle_list);
> > > 
> > >  		if (hl == NULL) {
> > >  		
> > >  			return false;
> > >  		
> > >  		}
> > 
> 
> Hi Andrew,
> 
> > Out of interest, what now cleans this up?  I would have expected this to
> > be solved with talloc_reference(), but I assume something else now holds
> > the reference count?
> 
> sorry for the late reply. Simo I think we need the while loop in 
> close_policy_by_pipe() again to clean this up?
> 
> while (p->pipe_handles->handles) {
> 	close_policy_hnd(p, &p->pipe_handles->handles->wire_handle);
> }

No, the handles are still allocate on the pipe, so when the ref count
goes to 0 and the pipe is freed, handles are freed as well.

At least as far as I can see.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>