diff options
author | Andrew Tridgell <tridge@samba.org> | 1998-08-30 04:27:26 +0000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 1998-08-30 04:27:26 +0000 |
commit | 1778debff146423e3543d40c2fe8413a34888a27 (patch) | |
tree | 41119cab58d30a359cd0082ddf3a3ab86e93932b /source3/nmbd/nmbd_responserecordsdb.c | |
parent | 48514704c2825bcde8bed3b92255ba2abcb955b4 (diff) | |
download | samba-1778debff146423e3543d40c2fe8413a34888a27.tar.gz samba-1778debff146423e3543d40c2fe8413a34888a27.tar.bz2 samba-1778debff146423e3543d40c2fe8413a34888a27.zip |
added some defensive programming to nmbd. This mostly means zeroing
areas of memory before freeing them.
While doing this I also found a couple of real bugs. In two places we
were freeing some memory that came from the stack, which leads to
a certain core dump on many sytems.
(This used to be commit c5e5c25c854e54f59291057ba47c4701b5910ebe)
Diffstat (limited to 'source3/nmbd/nmbd_responserecordsdb.c')
-rw-r--r-- | source3/nmbd/nmbd_responserecordsdb.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/source3/nmbd/nmbd_responserecordsdb.c b/source3/nmbd/nmbd_responserecordsdb.c index 6dae0d43e9..21defa970c 100644 --- a/source3/nmbd/nmbd_responserecordsdb.c +++ b/source3/nmbd/nmbd_responserecordsdb.c @@ -80,16 +80,19 @@ void remove_response_record(struct subnet_record *subrec, if(rrec->userdata) { - if(rrec->userdata->free_fn) - (*rrec->userdata->free_fn)(rrec->userdata); - else - free((char *)rrec->userdata); + if(rrec->userdata->free_fn) { + (*rrec->userdata->free_fn)(rrec->userdata); + } else { + ZERO_STRUCTP(rrec->userdata); + free((char *)rrec->userdata); + } } /* Ensure we can delete. */ rrec->packet->locked = False; free_packet(rrec->packet); + ZERO_STRUCTP(rrec); free((char *)rrec); num_response_packets--; /* count of total number of packets still around */ @@ -135,6 +138,7 @@ struct response_record *make_response_record( struct subnet_record *subrec, if((rrec->userdata = (*userdata->copy_fn)(userdata)) == NULL) { DEBUG(0,("make_response_queue_record: copy fail for userdata.\n")); + ZERO_STRUCTP(rrec); free(rrec); return NULL; } @@ -146,6 +150,7 @@ struct response_record *make_response_record( struct subnet_record *subrec, malloc(sizeof(struct userdata_struct)+userdata->userdata_len)) == NULL) { DEBUG(0,("make_response_queue_record: malloc fail for userdata.\n")); + ZERO_STRUCTP(rrec); free(rrec); return NULL; } |