diff options
| author | Andrew Tridgell <tridge@samba.org> | 2010-09-15 11:23:15 +1000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2010-09-15 15:39:36 +1000 |
| commit | a498ab90fbad872c36900a86fe7ccada64c3c4a7 (patch) | |
| tree | 476e0640709f1515c21da466a874b012576683be | |
| parent | 0212800de8c6367c9da7939fc43a1fa23c7da2bf (diff) | |
| download | samba-a498ab90fbad872c36900a86fe7ccada64c3c4a7.tar.gz samba-a498ab90fbad872c36900a86fe7ccada64c3c4a7.tar.bz2 samba-a498ab90fbad872c36900a86fe7ccada64c3c4a7.zip | |
s4-rpc: fixed double free in RPC proxy
the unbind method is only called when the dcesrv_connection_context is
being destroyed (its called from the destructor). That means that priv
is either already free, or is about to be freed, so don't free it
again
| -rw-r--r-- | source4/rpc_server/remote/dcesrv_remote.c | 16 |
1 files changed, 4 insertions, 12 deletions
diff --git a/source4/rpc_server/remote/dcesrv_remote.c b/source4/rpc_server/remote/dcesrv_remote.c index 7ba39462fd..23c873799b 100644 --- a/source4/rpc_server/remote/dcesrv_remote.c +++ b/source4/rpc_server/remote/dcesrv_remote.c @@ -146,15 +146,6 @@ static NTSTATUS remote_op_bind(struct dcesrv_call_state *dce_call, const struct return NT_STATUS_OK; } -static void remote_op_unbind(struct dcesrv_connection_context *context, const struct dcesrv_interface *iface) -{ - struct dcesrv_remote_private *priv = (struct dcesrv_remote_private *)context->private_data; - - talloc_free(priv->c_pipe); - - return; -} - static NTSTATUS remote_op_ndr_pull(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct ndr_pull *pull, void **r) { enum ndr_err_code ndr_err; @@ -190,7 +181,8 @@ static void remote_op_dispatch_done(struct rpc_request *rreq); static NTSTATUS remote_op_dispatch(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, void *r) { - struct dcesrv_remote_private *priv = dce_call->context->private_data; + struct dcesrv_remote_private *priv = talloc_get_type_abort(dce_call->context->private_data, + struct dcesrv_remote_private); uint16_t opnum = dce_call->pkt.u.request.opnum; const struct ndr_interface_table *table = dce_call->context->iface->private_data; const struct ndr_interface_call *call; @@ -223,7 +215,8 @@ static void remote_op_dispatch_done(struct rpc_request *rreq) { struct dcesrv_call_state *dce_call = talloc_get_type_abort(rreq->async.private_data, struct dcesrv_call_state); - struct dcesrv_remote_private *priv = dce_call->context->private_data; + struct dcesrv_remote_private *priv = talloc_get_type_abort(dce_call->context->private_data, + struct dcesrv_remote_private); uint16_t opnum = dce_call->pkt.u.request.opnum; const struct ndr_interface_table *table = dce_call->context->iface->private_data; const struct ndr_interface_call *call; @@ -329,7 +322,6 @@ static bool remote_fill_interface(struct dcesrv_interface *iface, const struct n iface->syntax_id = if_tabl->syntax_id; iface->bind = remote_op_bind; - iface->unbind = remote_op_unbind; iface->ndr_pull = remote_op_ndr_pull; iface->dispatch = remote_op_dispatch; |