diff options
author | Simo Sorce <idra@samba.org> | 2009-03-09 18:04:38 -0400 |
---|---|---|
committer | Simo Sorce <idra@samba.org> | 2009-03-09 20:12:11 -0400 |
commit | f088353d37b433af7b979a17871233cccddf7aca (patch) | |
tree | 35a022bf85b756bb500fda1b195aeb938da29925 /source4/lib/ldb/ldb_tdb/ldb_search.c | |
parent | 218ce0e80532b0dbc595e72502d9596a35acdffd (diff) | |
download | samba-f088353d37b433af7b979a17871233cccddf7aca.tar.gz samba-f088353d37b433af7b979a17871233cccddf7aca.tar.bz2 samba-f088353d37b433af7b979a17871233cccddf7aca.zip |
Fix potential segfaults using freed memory.
In some code paths ltdb_context was still referenced even after we were returned
an error by one of the callbacks. Because the interface assumes that once an
error is returned the ldb_request may be freed, and because the ltdb_context was
allocated as a child of the request, this might cause access to freed memory.
Allocate the ltdb_context on ldb, and keep track of what's going on with the
request by adding a spy children on it. This way even if the request is freed
before the ltdb_callback is called, we will safely free the ctx and just quietly
return.
Diffstat (limited to 'source4/lib/ldb/ldb_tdb/ldb_search.c')
-rw-r--r-- | source4/lib/ldb/ldb_tdb/ldb_search.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/source4/lib/ldb/ldb_tdb/ldb_search.c b/source4/lib/ldb/ldb_tdb/ldb_search.c index 0f595267fc..d395c28f28 100644 --- a/source4/lib/ldb/ldb_tdb/ldb_search.c +++ b/source4/lib/ldb/ldb_tdb/ldb_search.c @@ -424,10 +424,10 @@ static int search_func(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, voi ret = ldb_module_send_entry(ac->req, msg, NULL); if (ret != LDB_SUCCESS) { - ac->callback_failed = true; + ac->request_terminated = true; /* the callback failed, abort the operation */ return -1; - } + } return 0; } @@ -544,7 +544,7 @@ int ltdb_search(struct ltdb_context *ctx) /* Check if we got just a normal error. * In that case proceed to a full search unless we got a * callback error */ - if ( ! ctx->callback_failed && ret != LDB_SUCCESS) { + if ( ! ctx->request_terminated && ret != LDB_SUCCESS) { /* Not indexed, so we need to do a full scan */ ret = ltdb_search_full(ctx); if (ret != LDB_SUCCESS) { |