added some defensive programming to nmbd. This mostly means zeroing

areas of memory before freeing them.

While doing this I also found a couple of real bugs. In two places we
were freeing some memory that came from the stack, which leads to
a certain core dump on many sytems.
(This used to be commit c5e5c25c854e54f59291057ba47c4701b5910ebe)

1 files changed, 9 insertions, 4 deletions

diff --git a/source3/nmbd/nmbd_responserecordsdb.c b/source3/nmbd/nmbd_responserecordsdb.c
index 6dae0d43e9..21defa970c 100644
--- a/source3/nmbd/nmbd_responserecordsdb.c
+++ b/source3/nmbd/nmbd_responserecordsdb.c
@@ -80,16 +80,19 @@ void remove_response_record(struct subnet_record *subrec,
 
   if(rrec->userdata)
   {
-    if(rrec->userdata->free_fn)
-      (*rrec->userdata->free_fn)(rrec->userdata);
-    else
-      free((char *)rrec->userdata);
+	  if(rrec->userdata->free_fn) {
+		  (*rrec->userdata->free_fn)(rrec->userdata);
+	  } else {
+		  ZERO_STRUCTP(rrec->userdata);
+		  free((char *)rrec->userdata);
+	  }
   }
 
   /* Ensure we can delete. */
   rrec->packet->locked = False;
   free_packet(rrec->packet);
 
+  ZERO_STRUCTP(rrec);
   free((char *)rrec);
 
   num_response_packets--; /* count of total number of packets still around */
@@ -135,6 +138,7 @@ struct response_record *make_response_record( struct subnet_record *subrec,
       if((rrec->userdata = (*userdata->copy_fn)(userdata)) == NULL)
       {
         DEBUG(0,("make_response_queue_record: copy fail for userdata.\n"));
+	ZERO_STRUCTP(rrec);
         free(rrec);
         return NULL;
       }
@@ -146,6 +150,7 @@ struct response_record *make_response_record( struct subnet_record *subrec,
            malloc(sizeof(struct userdata_struct)+userdata->userdata_len)) == NULL)
       {
         DEBUG(0,("make_response_queue_record: malloc fail for userdata.\n"));
+	ZERO_STRUCTP(rrec);
         free(rrec);
         return NULL;
       }