s4:torture:smb2: fix a nasty double free error.

Andrew Bartlett abartlet at samba.org
Thu Oct 27 22:44:32 MDT 2011


On Fri, 2011-10-28 at 02:38 +0200, Michael Adam wrote:
> --- a/source4/torture/smb2/smb2.c
> +++ b/source4/torture/smb2/smb2.c
> @@ -30,17 +30,25 @@ static bool wrap_simple_1smb2_test(struct
> torture_context *torture_ctx,
>  {
>         bool (*fn) (struct torture_context *, struct smb2_tree *);
>         bool ret;
> -
>         struct smb2_tree *tree1;
> +       TALLOC_CTX *mem_ctx = talloc_new(torture_ctx);
>  
>         if (!torture_smb2_connection(torture_ctx, &tree1))
>                 return false;
>  
> +       /*
> +        * This is a trick:
> +        * The test might close the connection. If we steal the tree
> context
> +        * before that and free the parent instead of tree directly,
> we avoid
> +        * a double free error.
> +        */
> +       talloc_steal(mem_ctx, tree1);
> +
>         fn = test->fn;
>  
>         ret = fn(torture_ctx, tree1);
>  
> -       talloc_free(tree1);
> +       talloc_free(mem_ctx);
>  
>         return ret;
>  }

The other way to do this would be to initialise tree1 to:

talloc_unlink(torture_ctx, tree1)

That way, we only unlink tree1 that is a child of torture_ctx.  This is
essentially what your patch does, as internally talloc always calls
talloc_unlink(parent, child).

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the samba-technical mailing list