Why are we using SMB_MALLOC_ARRAY in smb2_setinfo.c
Stefan (metze) Metzmacher
metze at samba.org
Wed Jun 17 02:29:22 MDT 2015
Hi Jeremy,
maybe this patch works...
metze
Am 16.06.2015 um 23:42 schrieb Jeremy Allison:
> On Tue, Jun 16, 2015 at 09:52:10AM -0700, Jeremy Allison wrote:
>> On Mon, Jun 15, 2015 at 08:42:03AM +0200, Stefan (metze) Metzmacher wrote:
>>> Hi Richard,
>>>
>>> the following patch should fix the problem.
>>
>> Pushed with a rename of talloc_set_destructor -> defer_rename_state_destructor
>> to make it compile :-).
>
> Spoke too soon, this fix causes a crash in
> TESTS=samba3.smb2.lease with the rename:
>
> [1(0)/2 at 0s] samba3.smb2.lease(nt4_dc)
> *** Error in `./bin/smbd': free(): invalid pointer: 0x00007f3285553d30 ***
>
> I'll investigate.
>
-------------- next part --------------
From ac3906929c843ea5051fee2fea4dcc837fe66e7e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 15 Jun 2015 08:34:12 +0200
Subject: [PATCH] s3:smb2_setinfo: fix memory leak in the defer_rename case
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11329
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/smbd/smb2_setinfo.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 3f7bbec..9361aea 100644
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -168,6 +168,12 @@ struct defer_rename_state {
int data_size;
};
+static int defer_rename_state_destructor(struct defer_rename_state *rename_state)
+{
+ SAFE_FREE(rename_state->data);
+ return 0;
+}
+
static void defer_rename_done(struct tevent_req *subreq);
static struct tevent_req *delay_rename_for_lease_break(struct tevent_req *req,
@@ -240,6 +246,8 @@ static struct tevent_req *delay_rename_for_lease_break(struct tevent_req *req,
rename_state->data = data;
rename_state->data_size = data_size;
+ talloc_set_destructor(rename_state, defer_rename_state_destructor);
+
subreq = dbwrap_record_watch_send(
rename_state,
ev,
@@ -312,6 +320,7 @@ static void defer_rename_done(struct tevent_req *subreq)
state->data_size);
if (subreq) {
/* Yep - keep waiting. */
+ state->data = NULL;
TALLOC_FREE(state);
TALLOC_FREE(lck);
return;
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150617/7b4d8acb/attachment.pgp>
More information about the samba-technical
mailing list