this is a big global fix for the ptr = Realloc(ptr, size) bug.

many possible mem leaks, and segfaults fixed.

someone should port this fix to 2.2 also.
(This used to be commit fa8e55b8b465114ce209344965c1ca0333b84db9)

2 files changed, 38 insertions, 11 deletions

diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index b7624486d6..609f5f2331 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -141,7 +141,7 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
 	pstring mask;
 	file_info finfo;
 	int i;
-	char *dirlist = NULL;
+	char *tdl, *dirlist = NULL;
 	int dirlist_len = 0;
 	int total_received = -1;
 	BOOL First = True;
@@ -259,12 +259,13 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
 		}
  
 		/* and add them to the dirlist pool */
-		dirlist = Realloc(dirlist,dirlist_len + data_len);
+		tdl = Realloc(dirlist,dirlist_len + data_len);
 
-		if (!dirlist) {
-			DEBUG(0,("Failed to expand dirlist\n"));
+		if (!tdl) {
+			DEBUG(0,("cli_list_new: Failed to expand dirlist\n"));
 			break;
 		}
+		else dirlist = tdl;
 
 		/* put in a length for the last entry, to ensure we can chain entries 
 		   into the next packet */
@@ -340,7 +341,7 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
 	int num_asked = (cli->max_xmit - 100)/DIR_STRUCT_SIZE;
 	int num_received = 0;
 	int i;
-	char *dirlist = NULL;
+	char *tdl, *dirlist = NULL;
 	pstring mask;
 	
 	ZERO_ARRAY(status);
@@ -385,10 +386,14 @@ int cli_list_old(struct cli_state *cli,const char *Mask,uint16 attribute,
 
 		first = False;
 
-		dirlist = Realloc(dirlist,(num_received + received)*DIR_STRUCT_SIZE);
+		tdl = Realloc(dirlist,(num_received + received)*DIR_STRUCT_SIZE);
 
-		if (!dirlist) 
+		if (!tdl) {
+			DEBUG(0,("cli_list_old: failed to expand dirlist"));
+			if (dirlist) free(dirlist);
 			return 0;
+		}
+		else dirlist = tdl;
 
 		p = smb_buf(cli->inbuf) + 3;
 
diff --git a/source3/libsmb/clitrans.c b/source3/libsmb/clitrans.c
index ac50c7bf6d..c4e19b9375 100644
--- a/source3/libsmb/clitrans.c
+++ b/source3/libsmb/clitrans.c
@@ -147,6 +147,7 @@ BOOL cli_receive_trans(struct cli_state *cli,int trans,
 	int this_data,this_param;
 	uint8 eclass;
 	uint32 ecode;
+	char *tdata;
 
 	*data_len = *param_len = 0;
 
@@ -187,8 +188,18 @@ BOOL cli_receive_trans(struct cli_state *cli,int trans,
 	total_param = SVAL(cli->inbuf,smb_tprcnt);
 
 	/* allocate it */
-	*data = Realloc(*data,total_data);
-	*param = Realloc(*param,total_param);
+	tdata = Realloc(*data,total_data);
+	if (!tdata) {
+		DEBUG(0,("cli_receive_trans: failed to enlarge buffer"));
+		return False;
+	}
+	else *data = tdata;
+	tdata = Realloc(*param,total_param);
+	if (!tdata) {
+		DEBUG(0,("cli_receive_trans: failed to enlarge buffer"));
+		return False;
+	}
+	else *param = tdata;
 
 	while (1)  {
 		this_data = SVAL(cli->inbuf,smb_drcnt);
@@ -358,6 +369,7 @@ BOOL cli_receive_nt_trans(struct cli_state *cli,
 	int this_data,this_param;
 	uint8 eclass;
 	uint32 ecode;
+	char *tdata;
 
 	*data_len = *param_len = 0;
 
@@ -389,8 +401,18 @@ BOOL cli_receive_nt_trans(struct cli_state *cli,
 	total_param = SVAL(cli->inbuf,smb_ntr_TotalParameterCount);
 
 	/* allocate it */
-	*data = Realloc(*data,total_data);
-	*param = Realloc(*param,total_param);
+	tdata = Realloc(*data,total_data);
+	if (!tdata) {
+		DEBUG(0,("cli_receive_nt_trans: failed to enlarge buffer"));
+		return False;
+	}
+	else *data = tdata;
+	tdata = Realloc(*param,total_param);
+	if (!tdata) {
+		DEBUG(0,("cli_receive_nt_trans: failed to enlarge buffer"));
+		return False;
+	}
+	else *param = tdata;
 
 	while (1)  {
 		this_data = SVAL(cli->inbuf,smb_ntr_DataCount);