s3: Fix a segfault in the RPC server

After converting the rpc infratructure to talloc, read_from_internal_pipe freed
the outdata too early. If the last fragment was read in two pieces (as
rpcclient does it), all the outdata was freed during the read of the first
piece of the read of the last fragment. Later read&x calls, trying to read the
rest of the last fragment stepped into p->out_data.frag with non-zero offset
when this was already freed.

1 files changed, 9 insertions, 8 deletions

diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
index a77b9eabc0..e9339929df 100644
--- a/source3/rpc_server/srv_pipe_hnd.c
+++ b/source3/rpc_server/srv_pipe_hnd.c
@@ -858,15 +858,16 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
 		 * current_pdu_sent. */
 		p->out_data.current_pdu_sent = 0;
 		prs_mem_free(&p->out_data.frag);
-	}
 
-	if(p->out_data.data_sent_length >= prs_offset(&p->out_data.rdata)) {
-		/*
-		 * We're completely finished with both outgoing and
-		 * incoming data streams. It's safe to free all temporary
-		 * data from this request.
-		 */
-		free_pipe_context(p);
+		if (p->out_data.data_sent_length
+		    >= prs_offset(&p->out_data.rdata)) {
+			/*
+			 * We're completely finished with both outgoing and
+			 * incoming data streams. It's safe to free all
+			 * temporary data from this request.
+			 */
+			free_pipe_context(p);
+		}
 	}
 
 	return data_returned;