summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2005-04-28 07:30:36 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:16:20 -0500
commit584f64c103341c93ac7b33a299cd8a20e48918da (patch)
tree8bd82dc4170cd8ea609dd9b6c468654f3ea6a4bf
parent25601d2d67f5ae2d539541d310fe6c3431e6a890 (diff)
downloadsamba-584f64c103341c93ac7b33a299cd8a20e48918da.tar.gz
samba-584f64c103341c93ac7b33a299cd8a20e48918da.tar.bz2
samba-584f64c103341c93ac7b33a299cd8a20e48918da.zip
r6509: fixed a crash bug found by a-jutley@microsoft.com in RPC-RAP test
(the call freed the memory it used to fill in the result structure) (This used to be commit b352ef1a4282ddadf85e635112ff51dc3222a854)
-rw-r--r--source4/torture/rap/rap.c22
1 files changed, 14 insertions, 8 deletions
diff --git a/source4/torture/rap/rap.c b/source4/torture/rap/rap.c
index f245bc679e..52fc100b23 100644
--- a/source4/torture/rap/rap.c
+++ b/source4/torture/rap/rap.c
@@ -207,6 +207,7 @@ static NTSTATUS rap_cli_do_call(struct smbcli_state *cli, struct rap_call *call)
} while (0)
static NTSTATUS smbcli_rap_netshareenum(struct smbcli_state *cli,
+ TALLOC_CTX *mem_ctx,
struct rap_NetShareEnum *r)
{
struct rap_call *call;
@@ -241,8 +242,7 @@ static NTSTATUS smbcli_rap_netshareenum(struct smbcli_state *cli,
NDR_OK(ndr_pull_uint16(call->ndr_pull_param, NDR_SCALARS, &r->out.count));
NDR_OK(ndr_pull_uint16(call->ndr_pull_param, NDR_SCALARS, &r->out.available));
- r->out.info = talloc_array(call, union rap_shareenum_info,
- r->out.count);
+ r->out.info = talloc_array(mem_ctx, union rap_shareenum_info, r->out.count);
if (r->out.info == NULL) {
result = NT_STATUS_NO_MEMORY;
@@ -262,7 +262,7 @@ static NTSTATUS smbcli_rap_netshareenum(struct smbcli_state *cli,
(uint8_t *)&r->out.info[i].info1.pad, 1));
NDR_OK(ndr_pull_uint16(call->ndr_pull_data,
NDR_SCALARS, &r->out.info[i].info1.type));
- NDR_OK(rap_pull_string(call, call->ndr_pull_data,
+ NDR_OK(rap_pull_string(mem_ctx, call->ndr_pull_data,
r->out.convert,
&r->out.info[i].info1.comment));
break;
@@ -280,11 +280,12 @@ static BOOL test_netshareenum(struct smbcli_state *cli)
{
struct rap_NetShareEnum r;
int i;
+ TALLOC_CTX *tmp_ctx = talloc_new(cli);
r.in.level = 1;
r.in.bufsize = 8192;
- if (!NT_STATUS_IS_OK(smbcli_rap_netshareenum(cli, &r)))
+ if (!NT_STATUS_IS_OK(smbcli_rap_netshareenum(cli, tmp_ctx, &r)))
return False;
for (i=0; i<r.out.count; i++) {
@@ -293,10 +294,13 @@ static BOOL test_netshareenum(struct smbcli_state *cli)
r.out.info[i].info1.comment);
}
+ talloc_free(tmp_ctx);
+
return True;
}
static NTSTATUS smbcli_rap_netserverenum2(struct smbcli_state *cli,
+ TALLOC_CTX *mem_ctx,
struct rap_NetServerEnum2 *r)
{
struct rap_call *call;
@@ -335,8 +339,7 @@ static NTSTATUS smbcli_rap_netserverenum2(struct smbcli_state *cli,
NDR_OK(ndr_pull_uint16(call->ndr_pull_param, NDR_SCALARS, &r->out.count));
NDR_OK(ndr_pull_uint16(call->ndr_pull_param, NDR_SCALARS, &r->out.available));
- r->out.info = talloc_array(call, union rap_server_info,
- r->out.count);
+ r->out.info = talloc_array(mem_ctx, union rap_server_info, r->out.count);
if (r->out.info == NULL) {
result = NT_STATUS_NO_MEMORY;
@@ -358,7 +361,7 @@ static NTSTATUS smbcli_rap_netserverenum2(struct smbcli_state *cli,
&r->out.info[i].info1.version_minor, 1));
NDR_OK(ndr_pull_uint32(call->ndr_pull_data,
NDR_SCALARS, &r->out.info[i].info1.servertype));
- NDR_OK(rap_pull_string(call, call->ndr_pull_data,
+ NDR_OK(rap_pull_string(mem_ctx, call->ndr_pull_data,
r->out.convert,
&r->out.info[i].info1.comment));
}
@@ -375,6 +378,7 @@ static BOOL test_netserverenum(struct smbcli_state *cli)
{
struct rap_NetServerEnum2 r;
int i;
+ TALLOC_CTX *tmp_ctx = talloc_new(cli);
r.in.level = 0;
r.in.bufsize = 8192;
@@ -382,7 +386,7 @@ static BOOL test_netserverenum(struct smbcli_state *cli)
r.in.servertype = 0x80000000;
r.in.domain = NULL;
- if (!NT_STATUS_IS_OK(smbcli_rap_netserverenum2(cli, &r)))
+ if (!NT_STATUS_IS_OK(smbcli_rap_netserverenum2(cli, tmp_ctx, &r)))
return False;
for (i=0; i<r.out.count; i++) {
@@ -398,6 +402,8 @@ static BOOL test_netserverenum(struct smbcli_state *cli)
}
}
+ talloc_free(tmp_ctx);
+
return True;
}