RHEL6 init.d script (was Re: Initscript Debian Wheezy)

Stefan (metze) Metzmacher metze at samba.org
Tue Sep 11 16:09:36 MDT 2012


Am 11.09.2012 23:51, schrieb Jeremy Allison:
> On Tue, Sep 11, 2012 at 11:43:14PM +0200, Stefan (metze) Metzmacher wrote:
>>
>> I think we never set state->pp_self_ref to NULL
>> but still call TALLOC_FREE(state->pp_self_ref);
>> in some error cases.
> 
> I just did a git grep and searched for all
> uses of 'TALLOC_FREE(state->pp_self_ref);'
> 
> In *every* case this is only called after
> the comment:
> 
> /* we want to keep the session */
> 
> So we only ever see it used in the code path:
> 
>                 /* we want to keep the session */
>                 TALLOC_FREE(state->pp_self_ref);
>                 tevent_req_done(req);
>                 return;
> 
> Check it out. It's never called in any error case - by
> design (as I recall when I wrote this code :-).
> 
>> Which might trigger a double free.
>> so when we set (*pp_state)->session = NULL,
>> we should also sete (*pp_state)->pp_self_ref = NULL.
>> Otherwise we still leave an invalid pointer.
> 
> Nope, still don't see it.

It might not happen, but it's at least very confusing
and might cause problems in future.

After the destructor returns (*pp_state)->pp_self_ref points
to invalid memory currently.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120912/3f165aa6/attachment.pgp>


More information about the samba-technical mailing list