Lots of fixes for error paths where tdb_fetch() data need freeing.

Found via a post from Arcady Chernyak <Arcady.Chernyak@efi.com>.
Jeremy.
(This used to be commit 5d5762d1787db4392d2dff16024097c638b2d494)

2 files changed, 23 insertions, 10 deletions

diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
index 9e2009ad4a..a872f1331c 100644
--- a/source3/lib/gencache.c
+++ b/source3/lib/gencache.c
@@ -238,16 +238,18 @@ BOOL gencache_get(const char *keystr, char **valstr, time_t *timeout)
 	/* fail completely if get null pointers passed */
 	SMB_ASSERT(keystr && valstr && timeout);
 
-	if (!gencache_init()) return False;
+	if (!gencache_init())
+		return False;
 	
 	keybuf.dptr = strdup(keystr);
 	keybuf.dsize = strlen(keystr);
 	databuf = tdb_fetch(cache, keybuf);
 	
-	if (databuf.dptr) {
+	if (databuf.dptr && databuf.dsize > TIMEOUT_LEN) {
 		char* entry_buf = strndup(databuf.dptr, databuf.dsize);
 		*valstr = (char*)malloc(sizeof(char) * (databuf.dsize - TIMEOUT_LEN));
 				
+		SAFE_FREE(databuf.dptr);
 		sscanf(entry_buf, CACHE_DATA_FMT, (int*)timeout, *valstr);
 		SAFE_FREE(entry_buf);
 
@@ -256,6 +258,7 @@ BOOL gencache_get(const char *keystr, char **valstr, time_t *timeout)
 		           ctime(timeout)));
 		return *timeout > time(NULL);
 	} else {
+		SAFE_FREE(databuf.dptr);
 		*valstr = NULL;
 		timeout = NULL;
 		DEBUG(10, ("Cache entry with key = %s couldn't be found\n", keystr));
@@ -300,7 +303,12 @@ void gencache_iterate(void (*fn)(const char* key, const char *value, time_t time
 		 * all of the entries. Validity verification is up to fn routine.
 		 */
 		databuf = tdb_fetch(cache, node->node_key);
+		if (!databuf.dptr || databuf.dsize <= TIMEOUT_LEN) {
+			SAFE_FREE(databuf.dptr);
+			continue;
+		}
 		entry = strndup(databuf.dptr, databuf.dsize);
+		SAFE_FREE(databuf.dptr);
 		valstr = (char*)malloc(sizeof(char) * (databuf.dsize - TIMEOUT_LEN));
 		sscanf(entry, CACHE_DATA_FMT, (int*)(&timeout), valstr);
 		
@@ -315,5 +323,3 @@ void gencache_iterate(void (*fn)(const char* key, const char *value, time_t time
 	
 	tdb_search_list_free(first_node);
 }
-
-
diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index d9886a54da..36a23e28ab 100644
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -180,10 +180,12 @@ BOOL message_send_pid(pid_t pid, int msg_type, const void *buf, size_t len,
 	if (!dbuf.dptr) {
 		/* its a new record */
 		p = (void *)malloc(len + sizeof(rec));
-		if (!p) goto failed;
+		if (!p)
+			goto failed;
 
 		memcpy(p, &rec, sizeof(rec));
-		if (len > 0) memcpy((void *)((char*)p+sizeof(rec)), buf, len);
+		if (len > 0)
+			memcpy((void *)((char*)p+sizeof(rec)), buf, len);
 
 		dbuf.dptr = p;
 		dbuf.dsize = len + sizeof(rec);
@@ -218,11 +220,13 @@ BOOL message_send_pid(pid_t pid, int msg_type, const void *buf, size_t len,
 
 	/* we're adding to an existing entry */
 	p = (void *)malloc(dbuf.dsize + len + sizeof(rec));
-	if (!p) goto failed;
+	if (!p)
+		goto failed;
 
 	memcpy(p, dbuf.dptr, dbuf.dsize);
 	memcpy((void *)((char*)p+dbuf.dsize), &rec, sizeof(rec));
-	if (len > 0) memcpy((void *)((char*)p+dbuf.dsize+sizeof(rec)), buf, len);
+	if (len > 0)
+		memcpy((void *)((char*)p+dbuf.dsize+sizeof(rec)), buf, len);
 
 	SAFE_FREE(dbuf.dptr);
 	dbuf.dptr = p;
@@ -256,7 +260,8 @@ static BOOL message_recv(int *msg_type, pid_t *src, void **buf, size_t *len)
 	tdb_chainlock(tdb, kbuf);
 	
 	dbuf = tdb_fetch(tdb, kbuf);
-	if (dbuf.dptr == NULL || dbuf.dsize == 0) goto failed;
+	if (dbuf.dptr == NULL || dbuf.dsize == 0)
+		goto failed;
 
 	memcpy(&rec, dbuf.dptr, sizeof(rec));
 
@@ -267,7 +272,8 @@ static BOOL message_recv(int *msg_type, pid_t *src, void **buf, size_t *len)
 
 	if (rec.len > 0) {
 		(*buf) = (void *)malloc(rec.len);
-		if (!(*buf)) goto failed;
+		if (!(*buf))
+			goto failed;
 
 		memcpy(*buf, dbuf.dptr+sizeof(rec), rec.len);
 	} else {
@@ -293,6 +299,7 @@ static BOOL message_recv(int *msg_type, pid_t *src, void **buf, size_t *len)
 
  failed:
 	tdb_chainunlock(tdb, kbuf);
+	SAFE_FREE(dbuf.dptr);
 	return False;
 }