Your talloc_free_children() fix.

simo idra at samba.org
Fri Jul 29 18:44:01 MDT 2011


On Fri, 2011-07-29 at 16:17 -0700, Jeremy Allison wrote:
> Simo,
> 
> 	Should this be in 3.6.0 final ? What effect does it have
> (just wanted to know how you found it).
> 
> Thanks !

Andreas found it using talloc_report_full() in searching for another
crash bug in talloc that is very hard to reproduce in a synthetic
testsuite. In fact I tried today and couldn't :(

We haven't seen crashes related to this bug, but are potentially there.
What happens w/o the patch is that the name of the context (tc->name) is
freed if the name is a child of the context, but the pointer is not
cleared therefore you have a dnagling pointer. It can therfore point to
anything including freed memory and can crash when talloc_get_name() is
used on the mem context after talloc_free_children() is called on it.

Because we haven't seen any crash related to it so far I think it
doesn't need to be rushed in 3.6.0 and can wait 3.6.1

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list