[PATCH] smbd: Fix a talloc hierarchy problem in msg_channel

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Nov 19 13:00:04 MST 2013


Attached find a patch that is supposed to fix bug 10250. The
reporter has successfully tested the patch. Unfortunately I
don't have a clue how to reproduce the crash at all, so I
can't write a torture test to make sure we don't regress
here. Hopefully it's helpful even without the reproducer.

Please review & push!


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From c809f99c3ef2392ab5f6f21213ad3164ab6727f7 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 14 Nov 2013 21:30:49 +0100
Subject: [PATCH] smbd: Fix a talloc hierarchy problem in msg_channel

When tearing down a watch_send with an open tevent_immediate, we
talloc_free the msg_channel while the tevent_immediate still references
it. Don't make the tevent_immediate outlive the msg_channel.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10250
Signed-off-by: Volker Lendecke <vl at samba.org>
 source3/lib/msg_channel.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/lib/msg_channel.c b/source3/lib/msg_channel.c
index 537b162..625d07c 100644
--- a/source3/lib/msg_channel.c
+++ b/source3/lib/msg_channel.c
@@ -244,7 +244,7 @@ struct tevent_req *msg_read_send(TALLOC_CTX *mem_ctx,
 	num_msgs = talloc_array_length(channel->msgs);
 	if (num_msgs != 0) {
-		im = tevent_create_immediate(channel->ev);
+		im = tevent_create_immediate(channel);
 		if (tevent_req_nomem(im, req)) {
 			return tevent_req_post(req, ev);

More information about the samba-technical mailing list