[PATCH] smbd: Fix a talloc hierarchy problem in msg_channel
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Nov 19 13:00:04 MST 2013
Hi!
Attached find a patch that is supposed to fix bug 10250. The
reporter has successfully tested the patch. Unfortunately I
don't have a clue how to reproduce the crash at all, so I
can't write a torture test to make sure we don't regress
here. Hopefully it's helpful even without the reproducer.
Please review & push!
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From c809f99c3ef2392ab5f6f21213ad3164ab6727f7 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 14 Nov 2013 21:30:49 +0100
Subject: [PATCH] smbd: Fix a talloc hierarchy problem in msg_channel
When tearing down a watch_send with an open tevent_immediate, we
talloc_free the msg_channel while the tevent_immediate still references
it. Don't make the tevent_immediate outlive the msg_channel.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10250
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/lib/msg_channel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/lib/msg_channel.c b/source3/lib/msg_channel.c
index 537b162..625d07c 100644
--- a/source3/lib/msg_channel.c
+++ b/source3/lib/msg_channel.c
@@ -244,7 +244,7 @@ struct tevent_req *msg_read_send(TALLOC_CTX *mem_ctx,
num_msgs = talloc_array_length(channel->msgs);
if (num_msgs != 0) {
- im = tevent_create_immediate(channel->ev);
+ im = tevent_create_immediate(channel);
if (tevent_req_nomem(im, req)) {
return tevent_req_post(req, ev);
}
--
1.7.9.5
More information about the samba-technical
mailing list