[PATCH] Fixes for winbindd

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Jul 25 14:59:01 MDT 2014

On Sat, Jul 26, 2014 at 08:26:18AM +1200, Andrew Bartlett wrote:
> netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_send() creates
> state on mem_ctx, which is frame in
> netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords()
> 	struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state;
> 	struct tevent_req *subreq;
> 	req = tevent_req_create(mem_ctx, &state,
> 				struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state);
> 	if (req == NULL) {
> 		return NULL;
> 	}
> The state->dns_names is an in/out parameter as dns_names to
> netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords() and has a longer
> life time. 
> The issue isn't the async, it is that the memory needs to be around
> longer than the state variable.
> The typical approach of a talloc_steal won't work, due to the way the
> ref variable is overwritten.  The struct NL_DNS_NAME_INFO_ARRAY
> dns_names is the original input array, but the elements are overwritten
> in dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_done()

Ok, understood. To be honest, I'd call this a bug in the way
pidl generates code. I'm not sure there's a better way to do
it, but this is really, really obscure. I'd like to hear
what metze has to say about this before it goes in.

The pure fact that this crash initially went in shows that
something is wrong.


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba-technical mailing list