diff options
author | Jeremy Allison <jra@samba.org> | 2010-02-19 14:18:51 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2010-02-19 14:26:12 -0800 |
commit | ad77ae1d5870e06f8587ecf634e0b6bdcbb950d7 (patch) | |
tree | 595e7b550fb7fe644280499689d7bd0c543bcd69 /source3 | |
parent | fff7750618ca7e92b7eaea541cd917d778b51a35 (diff) | |
download | samba-ad77ae1d5870e06f8587ecf634e0b6bdcbb950d7.tar.gz samba-ad77ae1d5870e06f8587ecf634e0b6bdcbb950d7.tar.bz2 samba-ad77ae1d5870e06f8587ecf634e0b6bdcbb950d7.zip |
First part of fix for bug #7159 - client rpc_transport doesn't cope with bad server data returns.
Ensure that subreq is *always* talloc_free'd in the _done
function, as it has an event timeout attached. If the
read requests look longer than the cli->timeout, then
the timeout fn is called with already freed data.
Jeremy.
Diffstat (limited to 'source3')
-rw-r--r-- | source3/rpc_client/rpc_transport_np.c | 4 | ||||
-rw-r--r-- | source3/rpc_client/rpc_transport_sock.c | 12 |
2 files changed, 16 insertions, 0 deletions
diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c index 9f8872c467..501aa50b03 100644 --- a/source3/rpc_client/rpc_transport_np.c +++ b/source3/rpc_client/rpc_transport_np.c @@ -157,6 +157,9 @@ static void rpc_np_read_done(struct tevent_req *subreq) NTSTATUS status; uint8_t *rcvbuf; + /* We must free subreq in this function as there is + a timer event attached to it. */ + status = cli_read_andx_recv(subreq, &state->received, &rcvbuf); /* * We can't TALLOC_FREE(subreq) as usual here, as rcvbuf still is a @@ -178,6 +181,7 @@ static void rpc_np_read_done(struct tevent_req *subreq) } memcpy(state->data, rcvbuf, state->received); + TALLOC_FREE(subreq); tevent_req_done(req); } diff --git a/source3/rpc_client/rpc_transport_sock.c b/source3/rpc_client/rpc_transport_sock.c index df060e61e9..4ab17dbd8d 100644 --- a/source3/rpc_client/rpc_transport_sock.c +++ b/source3/rpc_client/rpc_transport_sock.c @@ -88,15 +88,21 @@ static void rpc_sock_read_done(struct tevent_req *subreq) req, struct rpc_sock_read_state); int err; + /* We must free subreq in this function as there is + a timer event attached to it. */ + state->received = async_recv_recv(subreq, &err); + if (state->received == -1) { if (state->transp->fd != -1) { close(state->transp->fd); state->transp->fd = -1; } + TALLOC_FREE(subreq); tevent_req_nterror(req, map_nt_error_from_unix(err)); return; } + TALLOC_FREE(subreq); tevent_req_done(req); } @@ -165,15 +171,21 @@ static void rpc_sock_write_done(struct tevent_req *subreq) req, struct rpc_sock_write_state); int err; + /* We must free subreq in this function as there is + a timer event attached to it. */ + state->sent = async_send_recv(subreq, &err); + if (state->sent == -1) { if (state->transp->fd != -1) { close(state->transp->fd); state->transp->fd = -1; } + TALLOC_FREE(subreq); tevent_req_nterror(req, map_nt_error_from_unix(err)); return; } + TALLOC_FREE(subreq); tevent_req_done(req); } |