summaryrefslogtreecommitdiff
path: root/source3/rpc_client/rpc_transport_np.c
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2010-02-19 14:18:51 -0800
committerJeremy Allison <jra@samba.org>2010-02-19 14:26:12 -0800
commitad77ae1d5870e06f8587ecf634e0b6bdcbb950d7 (patch)
tree595e7b550fb7fe644280499689d7bd0c543bcd69 /source3/rpc_client/rpc_transport_np.c
parentfff7750618ca7e92b7eaea541cd917d778b51a35 (diff)
downloadsamba-ad77ae1d5870e06f8587ecf634e0b6bdcbb950d7.tar.gz
samba-ad77ae1d5870e06f8587ecf634e0b6bdcbb950d7.tar.bz2
samba-ad77ae1d5870e06f8587ecf634e0b6bdcbb950d7.zip
First part of fix for bug #7159 - client rpc_transport doesn't cope with bad server data returns.
Ensure that subreq is *always* talloc_free'd in the _done function, as it has an event timeout attached. If the read requests look longer than the cli->timeout, then the timeout fn is called with already freed data. Jeremy.
Diffstat (limited to 'source3/rpc_client/rpc_transport_np.c')
-rw-r--r--source3/rpc_client/rpc_transport_np.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
index 9f8872c467..501aa50b03 100644
--- a/source3/rpc_client/rpc_transport_np.c
+++ b/source3/rpc_client/rpc_transport_np.c
@@ -157,6 +157,9 @@ static void rpc_np_read_done(struct tevent_req *subreq)
NTSTATUS status;
uint8_t *rcvbuf;
+ /* We must free subreq in this function as there is
+ a timer event attached to it. */
+
status = cli_read_andx_recv(subreq, &state->received, &rcvbuf);
/*
* We can't TALLOC_FREE(subreq) as usual here, as rcvbuf still is a
@@ -178,6 +181,7 @@ static void rpc_np_read_done(struct tevent_req *subreq)
}
memcpy(state->data, rcvbuf, state->received);
+ TALLOC_FREE(subreq);
tevent_req_done(req);
}