diff options
author | Andreas Schneider <asn@samba.org> | 2011-08-03 23:44:45 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2011-08-04 12:31:18 +0200 |
commit | 68e7b9307adabd9e3e12e95e0995051d366d8cf5 (patch) | |
tree | 991851d9e70f4d3acc00b89b3ab84fe9917bd589 /source4/librpc/rpc/dcerpc_smb.c | |
parent | fff3f290736f0b75903bfefeb961ee935930303b (diff) | |
download | samba-68e7b9307adabd9e3e12e95e0995051d366d8cf5.tar.gz samba-68e7b9307adabd9e3e12e95e0995051d366d8cf5.tar.bz2 samba-68e7b9307adabd9e3e12e95e0995051d366d8cf5.zip |
s4-librpc: Fix double free.
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Thu Aug 4 12:31:18 CEST 2011 on sn-devel-104
Diffstat (limited to 'source4/librpc/rpc/dcerpc_smb.c')
-rw-r--r-- | source4/librpc/rpc/dcerpc_smb.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c index 395e067255..c2312953f8 100644 --- a/source4/librpc/rpc/dcerpc_smb.c +++ b/source4/librpc/rpc/dcerpc_smb.c @@ -79,6 +79,7 @@ struct smb_read_state { */ static void smb_read_callback(struct smbcli_request *req) { + struct dcecli_connection *c; struct smb_private *smb; struct smb_read_state *state; union smb_read *io; @@ -88,11 +89,12 @@ static void smb_read_callback(struct smbcli_request *req) state = talloc_get_type(req->async.private_data, struct smb_read_state); smb = talloc_get_type(state->c->transport.private_data, struct smb_private); io = state->io; + c = state->c; status = smb_raw_read_recv(state->req, io); if (NT_STATUS_IS_ERR(status)) { - pipe_dead(state->c, status); talloc_free(state); + pipe_dead(c, status); return; } @@ -101,8 +103,8 @@ static void smb_read_callback(struct smbcli_request *req) if (state->received < 16) { DEBUG(0,("dcerpc_smb: short packet (length %d) in read callback!\n", (int)state->received)); - pipe_dead(state->c, NT_STATUS_INFO_LENGTH_MISMATCH); talloc_free(state); + pipe_dead(c, NT_STATUS_INFO_LENGTH_MISMATCH); return; } @@ -110,7 +112,6 @@ static void smb_read_callback(struct smbcli_request *req) if (frag_length <= state->received) { DATA_BLOB data = state->data; - struct dcecli_connection *c = state->c; data.length = state->received; talloc_steal(state->c, data.data); talloc_free(state); @@ -128,8 +129,8 @@ static void smb_read_callback(struct smbcli_request *req) state->req = smb_raw_read_send(smb->tree, io); if (state->req == NULL) { - pipe_dead(state->c, NT_STATUS_NO_MEMORY); talloc_free(state); + pipe_dead(c, NT_STATUS_NO_MEMORY); return; } @@ -257,7 +258,7 @@ static NTSTATUS smb_send_trans_request(struct dcecli_connection *c, DATA_BLOB *b struct smb_trans_state *state; uint16_t max_data; - state = talloc(smb, struct smb_trans_state); + state = talloc(c, struct smb_trans_state); if (state == NULL) { return NT_STATUS_NO_MEMORY; } |