r20160: Fix long-standing (ie. from initial code I think) bug

in tdb message processing. If we're inside a dispatch
function and we delete our own handler we'd walk onto
the next pointer from a deleted memory block. Fixes
crash bug in winbindd (and goodness knows where else).
Jeremy.
(This used to be commit 27a4c1121404e346432d90b97b518861e038e9f2)

1 files changed, 5 insertions, 2 deletions

diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index 93e12ebe35..10fc5af24d 100644
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -471,7 +471,6 @@ void message_dispatch(void)
 	char *buf;
 	char *msgs_buf;
 	size_t len, total_len;
-	struct dispatch_fns *dfn;
 	int n_handled;
 
 	if (!received_signal)
@@ -485,11 +484,15 @@ void message_dispatch(void)
 		return;
 
 	for (buf = msgs_buf; message_recv(msgs_buf, total_len, &msg_type, &src, &buf, &len); buf += len) {
+		struct dispatch_fns *dfn, *next;
+
 		DEBUG(10,("message_dispatch: received msg_type=%d "
 			  "src_pid=%u\n", msg_type,
 			  (unsigned int) procid_to_pid(&src)));
+
 		n_handled = 0;
-		for (dfn = dispatch_fns; dfn; dfn = dfn->next) {
+		for (dfn = dispatch_fns; dfn; dfn = next) {
+			next = dfn->next;			
 			if (dfn->msg_type == msg_type) {
 				DEBUG(10,("message_dispatch: processing message of type %d.\n", msg_type));
 				dfn->fn(msg_type, src, len ? (void *)buf : NULL, len);