diff options
author | Jeremy Allison <jra@samba.org> | 2006-12-09 02:58:18 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:16:24 -0500 |
commit | 63609fbb04d2ce620338b4b79e7c1abf39f08ef8 (patch) | |
tree | c036fe84a97efbee490c470051cf1de360d502d3 /source3/nsswitch/winbindd_cm.c | |
parent | 19ddef3dd9065b04896c626e7b4c691c7bbbec53 (diff) | |
download | samba-63609fbb04d2ce620338b4b79e7c1abf39f08ef8.tar.gz samba-63609fbb04d2ce620338b4b79e7c1abf39f08ef8.tar.bz2 samba-63609fbb04d2ce620338b4b79e7c1abf39f08ef8.zip |
r20090: Fix a class of bugs found by James Peach. Ensure
we never mix malloc and talloc'ed contexts in the
add_XX_to_array() and add_XX_to_array_unique()
calls. Ensure that these calls always return
False on out of memory, True otherwise and always
check them. Ensure that the relevent parts of
the conn struct and the nt_user_tokens are
TALLOC_DESTROYED not SAFE_FREE'd.
James - this should fix your crash bug in both
branches.
Jeremy.
(This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
Diffstat (limited to 'source3/nsswitch/winbindd_cm.c')
-rw-r--r-- | source3/nsswitch/winbindd_cm.c | 38 |
1 files changed, 27 insertions, 11 deletions
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 330ba4ca9b..2c341d5efa 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -692,8 +692,10 @@ static BOOL add_sockaddr_to_array(TALLOC_CTX *mem_ctx, { *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_in, (*num)+1); - if (*addrs == NULL) + if (*addrs == NULL) { + *num = 0; return False; + } (*addrs)[*num].sin_family = PF_INET; putip((char *)&((*addrs)[*num].sin_addr), (char *)&ip); @@ -987,15 +989,23 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx, for (i=0; i<num_dcs; i++) { - add_string_to_array(mem_ctx, dcs[i].name, - &dcnames, &num_dcnames); - add_sockaddr_to_array(mem_ctx, dcs[i].ip, 445, - &addrs, &num_addrs); + if (!add_string_to_array(mem_ctx, dcs[i].name, + &dcnames, &num_dcnames)) { + return False; + } + if (!add_sockaddr_to_array(mem_ctx, dcs[i].ip, 445, + &addrs, &num_addrs)) { + return False; + } - add_string_to_array(mem_ctx, dcs[i].name, - &dcnames, &num_dcnames); - add_sockaddr_to_array(mem_ctx, dcs[i].ip, 139, - &addrs, &num_addrs); + if (!add_string_to_array(mem_ctx, dcs[i].name, + &dcnames, &num_dcnames)) { + return False; + } + if (!add_sockaddr_to_array(mem_ctx, dcs[i].ip, 139, + &addrs, &num_addrs)) { + return False; + } } if ((num_dcnames == 0) || (num_dcnames != num_addrs)) @@ -1102,8 +1112,14 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain, int num_addrs = 0; int dummy = 0; - add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 445, &addrs, &num_addrs); - add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 139, &addrs, &num_addrs); + if (!add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 445, &addrs, &num_addrs)) { + set_domain_offline(domain); + return NT_STATUS_NO_MEMORY; + } + if (!add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 139, &addrs, &num_addrs)) { + set_domain_offline(domain); + return NT_STATUS_NO_MEMORY; + } /* 5 second timeout. */ if (!open_any_socket_out(addrs, num_addrs, 5000, &dummy, &fd)) { |