summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-04-02 19:08:24 +1100
committerAndrew Tridgell <tridge@samba.org>2010-04-02 19:44:02 +1100
commit7d692f970a43e3d357549b02f905fa08d27ae8c8 (patch)
tree80bebb95684652f555d71ca8c64438d94cecc81e
parent53dec154274978ce94de8f5182c7d39a0c5f451e (diff)
downloadsamba-7d692f970a43e3d357549b02f905fa08d27ae8c8.tar.gz
samba-7d692f970a43e3d357549b02f905fa08d27ae8c8.tar.bz2
samba-7d692f970a43e3d357549b02f905fa08d27ae8c8.zip
s4-rpc: fixed a talloc loop in continue_ntlmssp_connection()
We were creating a memory loop which caused havoc when the connection was torn down.
-rw-r--r--source4/librpc/rpc/dcerpc_util.c24
1 files changed, 24 insertions, 0 deletions
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index 8fd17bd782..b71e3060e1 100644
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -422,6 +422,7 @@ static void continue_ntlmssp_connection(struct composite_context *ctx)
struct pipe_auth_state *s;
struct composite_context *auth_req;
struct dcerpc_pipe *p2;
+ void *pp;
c = talloc_get_type(ctx->async.private_data, struct composite_context);
s = talloc_get_type(c->private_data, struct pipe_auth_state);
@@ -430,8 +431,31 @@ static void continue_ntlmssp_connection(struct composite_context *ctx)
c->status = dcerpc_secondary_connection_recv(ctx, &p2);
if (!composite_is_ok(c)) return;
+
+ /* this is a rather strange situation. When
+ we come into the routine, s is a child of s->pipe, and
+ when we created p2 above, it also became a child of
+ s->pipe.
+
+ Now we want p2 to be a parent of s->pipe, and we want s to
+ be a parent of both of them! If we don't do this very
+ carefully we end up creating a talloc loop
+ */
+
+ /* we need the new contexts to hang off the same context
+ that s->pipe is on, but the only way to get that is
+ via talloc_parent() */
+ pp = talloc_parent(s->pipe);
+
+ /* promote s to be at the top */
+ talloc_steal(pp, s);
+
+ /* and put p2 under s */
talloc_steal(s, p2);
+
+ /* now put s->pipe under p2 */
talloc_steal(p2, s->pipe);
+
s->pipe = p2;
/* initiate a authenticated bind */