[Patch] rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface (bug #12890)

Jeremy Allison jra at samba.org
Mon Jul 10 16:58:18 UTC 2017 

On Mon, Jul 10, 2017 at 12:46:25PM +0200, Stefan Metzmacher via samba-technical wrote:
> Hi,
> 
> here's a patch that avoids memory leaks of rpc_pipe_open_interface()
> in source3/smbd/lanman.c and source3/smbd/reply.c. We need to use
> talloc_tos() memory instead of a long term memory context as
> 'connection_struct'.
> 
> We already have this in some places, but some where left...
> 
> There's a similar bug https://bugzilla.samba.org/show_bug.cgi?id=12892,
> but that's something real printing experts should have a look at.
> 
> Please review and push:-)

Reviewed and pushed. Obviously correct, thanks !


> From dd39d1a090d3094fb1eb009da0a8a3ebbb584870 Mon Sep 17 00:00:00 2001
> From: Stefan Metzmacher <metze at samba.org>
> Date: Mon, 10 Jul 2017 11:29:58 +0200
> Subject: [PATCH] s3:smbd: consistently use talloc_tos() memory for
>  rpc_pipe_open_interface()
> 
> The result is only used temporary and should not be leaked on a long term
> memory context as 'conn'.
> 
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12890
> 
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
> ---
>  source3/smbd/lanman.c | 20 ++++++++++----------
>  source3/smbd/reply.c  |  2 +-
>  2 files changed, 11 insertions(+), 11 deletions(-)
> 
> diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
> index c3e540f..6854527 100644
> --- a/source3/smbd/lanman.c
> +++ b/source3/smbd/lanman.c
> @@ -831,7 +831,7 @@ static bool api_DosPrintQGetInfo(struct smbd_server_connection *sconn,
>  		goto out;
>  	}
>  
> -	status = rpc_pipe_open_interface(conn,
> +	status = rpc_pipe_open_interface(mem_ctx,
>  					 &ndr_table_spoolss,
>  					 conn->session_info,
>  					 conn->sconn->remote_address,
> @@ -1029,7 +1029,7 @@ static bool api_DosPrintQEnum(struct smbd_server_connection *sconn,
>  		return(True);
>  	}
>  
> -	status = rpc_pipe_open_interface(conn,
> +	status = rpc_pipe_open_interface(mem_ctx,
>  					 &ndr_table_spoolss,
>  					 conn->session_info,
>  					 conn->sconn->remote_address,
> @@ -3144,7 +3144,7 @@ static bool api_RDosPrintJobDel(struct smbd_server_connection *sconn,
>  
>  	ZERO_STRUCT(handle);
>  
> -	status = rpc_pipe_open_interface(conn,
> +	status = rpc_pipe_open_interface(mem_ctx,
>  					 &ndr_table_spoolss,
>  					 conn->session_info,
>  					 conn->sconn->remote_address,
> @@ -3273,7 +3273,7 @@ static bool api_WPrintQueueCtrl(struct smbd_server_connection *sconn,
>  
>  	ZERO_STRUCT(handle);
>  
> -	status = rpc_pipe_open_interface(conn,
> +	status = rpc_pipe_open_interface(mem_ctx,
>  					 &ndr_table_spoolss,
>  					 conn->session_info,
>  					 conn->sconn->remote_address,
> @@ -3456,7 +3456,7 @@ static bool api_PrintJobInfo(struct smbd_server_connection *sconn,
>  
>  	ZERO_STRUCT(handle);
>  
> -	status = rpc_pipe_open_interface(conn,
> +	status = rpc_pipe_open_interface(mem_ctx,
>  					 &ndr_table_spoolss,
>  					 conn->session_info,
>  					 conn->sconn->remote_address,
> @@ -4601,7 +4601,7 @@ static bool api_WPrintJobGetInfo(struct smbd_server_connection *sconn,
>  
>  	ZERO_STRUCT(handle);
>  
> -	status = rpc_pipe_open_interface(conn,
> +	status = rpc_pipe_open_interface(mem_ctx,
>  					 &ndr_table_spoolss,
>  					 conn->session_info,
>  					 conn->sconn->remote_address,
> @@ -4744,7 +4744,7 @@ static bool api_WPrintJobEnumerate(struct smbd_server_connection *sconn,
>  
>  	ZERO_STRUCT(handle);
>  
> -	status = rpc_pipe_open_interface(conn,
> +	status = rpc_pipe_open_interface(mem_ctx,
>  					 &ndr_table_spoolss,
>  					 conn->session_info,
>  					 conn->sconn->remote_address,
> @@ -4945,7 +4945,7 @@ static bool api_WPrintDestGetInfo(struct smbd_server_connection *sconn,
>  
>  	ZERO_STRUCT(handle);
>  
> -	status = rpc_pipe_open_interface(conn,
> +	status = rpc_pipe_open_interface(mem_ctx,
>  					 &ndr_table_spoolss,
>  					 conn->session_info,
>  					 conn->sconn->remote_address,
> @@ -5078,7 +5078,7 @@ static bool api_WPrintDestEnum(struct smbd_server_connection *sconn,
>  
>  	queuecnt = 0;
>  
> -	status = rpc_pipe_open_interface(conn,
> +	status = rpc_pipe_open_interface(mem_ctx,
>  					 &ndr_table_spoolss,
>  					 conn->session_info,
>  					 conn->sconn->remote_address,
> @@ -5390,7 +5390,7 @@ static bool api_RNetSessionEnum(struct smbd_server_connection *sconn,
>  		return False;
>  	}
>  
> -	status = rpc_pipe_open_interface(conn,
> +	status = rpc_pipe_open_interface(mem_ctx,
>  					 &ndr_table_srvsvc,
>  					 conn->session_info,
>  					 conn->sconn->remote_address,
> diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
> index e430a8e..d102b7a 100644
> --- a/source3/smbd/reply.c
> +++ b/source3/smbd/reply.c
> @@ -5942,7 +5942,7 @@ void reply_printqueue(struct smb_request *req)
>  
>  		ZERO_STRUCT(handle);
>  
> -		status = rpc_pipe_open_interface(conn,
> +		status = rpc_pipe_open_interface(mem_ctx,
>  						 &ndr_table_spoolss,
>  						 conn->session_info,
>  						 conn->sconn->remote_address,
> -- 
> 1.9.1
>

More information about the samba-technical mailing list